Integrations
Identity Providers
An Identity Provider signs human users in to your API Portal. Connect Microsoft Entra ID, Amazon Cognito, or any OpenID Connect provider, then assign it to companies.
An Identity Provider signs human users in to your API Portal. You connect it once in Apiable under Integrations → Identity Providers, then assign it to the companies whose developers should sign in through it. It controls who can reach your portal, not what an API call is allowed to do.
What is an Identity Provider in Apiable?
An Identity Provider is the external system that authenticates the people who log in to your API Portal. Apiable redirects a user to the provider, the provider verifies them, and the user lands back in your portal signed in.
You connect one under Integrations → Identity Providers and assign it to companies. A connected provider can then appear as a sign-in option on your portal login screen.
How is an Identity Provider different from an Authorization Server?
An Identity Provider signs human users in to your API Portal. An Authorization Server issues the OAuth2 tokens your gateway validates for machine-to-machine API calls. They solve different problems and are configured separately in Apiable.
| Identity Provider | Authorization Server | |
|---|---|---|
| Job | Signs users in to your API Portal | Issues OAuth2 access tokens for API calls |
| Who it serves | People logging in to the portal | Subscriptions and their machine clients |
| Where you set it up | Integrations → Identity Providers | Integrations → Authorization Servers |
| Examples | Microsoft Entra ID, Amazon Cognito, OIDC | Keycloak, Auth0 |
Which identity providers does Apiable support?
Apiable ships three Identity Providers: Microsoft Entra ID, Amazon Cognito, and a generic OpenID Connect (OIDC) option. The OIDC option works with any standards-compliant OpenID Connect provider.
| Provider | Use it for |
|---|---|
| Microsoft Entra ID | Signing in users from a Microsoft Entra ID tenant or verified domain. |
| Amazon Cognito | Signing in users from an Amazon Cognito user pool. |
| OpenID Connect (OIDC) | Any standards-compliant OpenID Connect provider, configured by issuer URL. |
These three are the only Identity Providers Apiable offers. The OIDC option covers other OpenID Connect providers; there are no separate named integrations beyond the three above.
How do you connect and configure an Identity Provider?
You add a provider under Integrations → Identity Providers, pick its type, fill in its credentials on the Authorization tab, then save. After saving you set how it appears and who it covers on the Details and Assignment tabs.
- Open Integrations → Identity Providers and start a new connection. The select screen is headed Authentication Providers and defaults to Microsoft Entra ID.
- Choose the provider type and connect. Each type has its own credential form on the Authorization tab.
- Save the connection. The Assignment tab unlocks once the provider exists.
- On the Details tab, set the display name, icon, and display mode.
- On the Assignment tab, choose the companies it covers and whether to force SSO.
The credential fields differ per provider. The task pages below walk through every field for each one.
What do the three tabs do?
A provider has three tabs: Authorization for credentials, Details for how it appears, and Assignment for who it covers. The Assignment tab stays disabled until you save the provider for the first time.
| Tab | What you set |
|---|---|
| Authorization | The provider's connection credentials. The fields depend on the provider type. |
| Details | Display Name, Display Icon, and Display Mode (Standalone or Grouped). |
| Assignment | Whether to assign all companies, Force SSO, and which companies the provider covers. |
An Active toggle sits above the tabs. It controls whether the provider is live.
What do Standalone and Grouped display modes do?
Display Mode decides how the provider appears on your portal login screen. Standalone gives the provider its own button. Grouped collapses it, with other grouped providers, behind a single SSO button.
A Standalone provider renders a dedicated button on the login screen that reads "Continue with" its display name, alongside its icon. Grouped providers do not each get a button; instead one shared SSO button leads to a screen where the user enters their email to be routed to the right provider.
What does Force SSO do?
Force SSO removes the email and password option for the users it covers, so they can sign in only through the Identity Provider. With Force SSO off, password sign-in remains as a fallback for those users.
Force SSO is set on the Assignment tab. When a user whose company has Force SSO enabled enters their email at login, the portal sends them to the provider and does not show a password field. When it is off, the portal still offers password sign-in after the email step.
What does a consumer see at portal login?
A consumer sees a sign-in option per Standalone provider, or one combined SSO button for Grouped providers, plus the usual email field. Choosing a provider redirects them to it and back to your portal once they authenticate.
The portal can also match a user to a provider by their email domain. When a user enters an email whose domain maps to a provider, the portal routes them to that provider's sign-in, and enforces SSO if the provider's company assignment requires it.
Where do Identity Providers fit in your portal?
Identity Providers gate who can sign in to the API Portal you give your API consumers. Authorization Servers and scopes then govern what those consumers' API calls can do once they have subscribed.
Where to next
Connect Microsoft Entra ID
Connection Name, Tenant ID or Domain, Client ID, and Secret.
Connect Amazon Cognito
Connection Name, User Pool ID, Region, App Client ID, and Client Secret.
Connect an OpenID Connect provider
Connection Name, Issuer URL, Client ID, Client Secret, and optional discovery URL.
Authorization Servers
The OAuth2 side: how tokens for API calls are issued and validated.