Single Sign-On (SSO) Support
SSO integration was introduced in CodeTogether 4.0 and is currently available only for On-Premises installations.
Scope of SSO Integration
CodeTogether integrates with SSO providers that support the OpenID Connect protocol—this includes providers like Okta, Azure AD, Microsoft AD FS and Auth0 among others.
SSO support in CodeTogether is straightforward—once configured on your on-premises install, users are allowed CodeTogether access only if they have been authorized by your provider. If they are unauthorized, they are neither able to host, nor join any sessions running on your server.
The only SSO integration currently supported is the ability to log in and log out. SSO groups and other similar constructs are not synchronized with CodeTogether teams, or any other CodeTogether functionality.
Setting Up Your SSO Provider
To integrate CodeTogether as a new application in your SSO provider, configure the following common OIDC properties:
|Login redirect URI|
|Logout redirect URI|
|Allowed Grant Types|
|– Client Credentials||enabled|
|– Authorization Code||enabled|
|– Refresh Token||enabled|
CT_SERVER_URL must be the externally visible name of your on-premises server, using the HTTPS protocol (e.g.,
This variable is configured when you set up your container.
Setting Up Your CodeTogether Server
To have CodeTogether integrate with the SSO application you created in the previous step, configure the following environment variables. These are in addition to the standard environment variables defined in the On-Premises Installation Guide.
(since CodeTogether 4.1.2)
|The base URL for your identity system; aka, Domain, Realm, etc.|
The presence of this variable signals to CodeTogether that SSO is enabled. If not defined, all variables below are ignored.
|CT_SSO_TOKEN_ENDPT||Optional: URL to the authorization server endpoint that provides refresh tokens.|
Use this environment variable for non-standard OIDC systems.
|CT_SSO_CLIENT_ID||Unique ID assigned by the SSO provider to the CodeTogether SSO application.|
|CT_SSO_CLIENT_SECRET||Private key assigned by the SSO provider to the CodeTogether SSO application.|
|CT_SSO_PROVIDER||Optional: Can be OKTA, MICROSOFT, IDCS, KEYCLOAK or ONELOGIN.|
If using another provider, omit this variable.
|CT_SSO_SECURE_JWKS_ENDPT_ENABLE||Optional: Can be “true” or “false”.|
When true, it informs CT_SSO that the authorization server URL used by the OpenID middleware for access to public keys is protected and can only be accessed by an authenticated user.
An example is the Oracle IDCS, which does not provide anonymous access to its
In CodeTogether 4.1.2,
CT_SSO_SYSTEM_BASE_URL replaces the
CT_SSO_AUTHORIZATION_ENDPT, as this new name better reflects the purpose of this variable. The older variable will continue to function as an alias.
We have guides for creating Apps in Okta and Azure for CodeTogether Authorization. The configuration process will be similar in all SSO providers.
Example Identity Provider Configurations
ENV CT_SSO_PROVIDER "OKTA"
ENV CT_SSO_CLIENT_ID "0oa5vFs2yPWSiq..."
ENV CT_SSO_CLIENT_SECRET "bI96uXez4QBb3ZxIY7eO4GCr..."
ENV CT_SSO_SYSTEM_BASE_URL "https://YOURDOMAIN.okta.com/oauth2/default"
ENV CT_SSO_PROVIDER "IDCS"
ENV CT_SSO_CLIENT_ID "357c9f87e5de442..."
ENV CT_SSO_CLIENT_SECRET "ab358ae8-4729-4f08-bc74-..."
ENV CT_SSO_SYSTEM_BASE_URL "https://idcs-YOURTENANCY.identity.oraclecloud.com"
ENV CT_SSO_SECURE_JWKS_ENDPT_ENABLE "true"
ENV CT_SSO_PROVIDER "KEYCLOAK"
ENV CT_SSO_CLIENT_ID "code-together"
ENV CT_SSO_CLIENT_SECRET "924ec27b-670e-4e18-8b97-..."
ENV CT_SSO_SYSTEM_BASE_URL "https://HOSTNAME/auth/realms/YOURREALM"
ENV CT_SSO_PROVIDER "MICROSOFT"
ENV CT_SSO_CLIENT_ID "ab55a5a3-498b-479b-..."
ENV CT_SSO_CLIENT_SECRET "_ZcjuPg_TNh_g~hld..."
ENV CT_SSO_SYSTEM_BASE_URL "https://login.microsoftonline.com/89abea56-e91d-41f7-a8.../v2.0"
Using CodeTogether with SSO
The first time you use CodeTogether, you are asked to authenticate with your organization’s single sign-on service.
Click Connect to be taken to your provider’s login page, where you can authenticate as required.
A message displays when the authentication is complete.
After logging in, the CodeTogether view will show you as connected.
How long will a user stay logged in?
CodeTogether authenticates the user each IDE session. Refresh tokens, if available, are used to refresh auth data and keep the user logged in without having to sign in again. This depends on how an SSO Administrator configures the lifetime of refresh tokens.
What info does CodeTogether SSO Integration access?
CodeTogether accesses minimal information, as defined by the following OIDC scopes: openid, profile, off_line
How do I find the Token endpoint URL (CT_SSO_TOKEN_ENDPT)?
As of CodeTogether 4.1.2, this variable is optional and is fetched from the well known configuration. However, you may specify it if you have a non-standard OIDC system or wish to override the value.
For this URL and other configuration details, look for the
token_endpointproperty in the provider’s discovery document:
Examples of discovery document paths: