SSO Security and Validation Settings
Security and validation settings that can be configured once SSO has been successfully set up.
The Security & Validation section controls how instellix synchronizes users and validates authentication data received from your Identity Provider.
Sync Mode
The Sync Mode determines how user information received from the Identity Provider is synchronized with instellix. This is particularly relevant for role mapping.
Import
User information is imported when the user signs in for the first time. During subsequent logins, user attributes are updated only if they are not managed locally.
Choose this mode if you want to import users into instellix while allowing certain user information to be maintained locally.
Recommendation: Use Import for most integrations with Keycloak, Microsoft Entra ID, Auth0, and other OpenID Connect (OIDC) providers.
Force
User information is synchronized from the Identity Provider every time the user signs in. Any changes made locally to synchronized attributes are overwritten by the latest values provided by the Identity Provider.
Choose this mode when the Identity Provider should always be the single source of truth for user profile information.
Legacy
Uses the synchronization behavior of older Keycloak versions for backwards compatibility.
This mode should only be used when migrating existing Keycloak integrations that rely on the legacy synchronization behavior.
Recommendation: Not recommended for new configurations.
Inherit
Uses the synchronization mode configured at the parent level instead of defining a mode specifically for this Identity Provider.
Choose this option if you want this provider to follow the synchronization policy inherited from the surrounding Keycloak configuration.
Recommendation: Typically used only in advanced Keycloak setups.
Trust Email Addresses
Determines whether instellix should trust the email addresses provided by the Identity Provider.
When enabled, instellix accepts the email verification status reported by the Identity Provider. If the Identity Provider has already verified a user's email address, no additional email verification is required within instellix.
When disabled, email addresses are not automatically considered trusted. Depending on your configuration, additional validation or a separate email verification process may be required before the email address is treated as verified.
Recommendation: Enable this option if your Identity Provider manages user accounts and verifies email addresses (for example Keycloak, Microsoft Entra ID, Okta, or Auth0).
Validate Signatures
Determines whether the cryptographic signature of ID and access tokens issued by the Identity Provider should be verified.
When enabled, instellix validates that each token was issued by the configured Identity Provider and has not been modified. If the signature validation fails, authentication is rejected.
Disabling this option significantly reduces security and is not recommended for production environments.
Recommendation: Always keep this option enabled.
Use JWKS URL
Determines how instellix retrieves the public keys required to validate token signatures.
When enabled, instellix automatically downloads the public signing keys from the configured JWKS (JSON Web Key Set) URL. This allows signing key changes (key rotation) to be handled automatically without requiring manual updates.
When disabled, public keys must be configured and maintained manually. If the Identity Provider rotates its signing keys, the configuration must also be updated manually.
Recommendation: Enable this option whenever your Identity Provider provides a JWKS endpoint. This is the standard configuration for modern OpenID Connect providers such as Keycloak, Microsoft Entra ID, Auth0, and Okta.