SAML v2.0 and OAuth2 SSO overview

Last Updated : Jun 10, 2026 |

Avaya Aura® Device Services SSO involves the following key components:

  • Avaya Aura® Device Services

  • Keycloak

  • External third-party identity provider

Avaya Aura® Device Services

Avaya Aura® Device Services implements an SSO authorization code flow for Avaya Workplace Client. Avaya Aura® Device Services initiates the SSO flow, but Avaya Aura® Device Services itself is not an identity provider. Therefore, Avaya Aura® Device Services relies on an embedded third-party component called Keycloak for token management and brokering to an external third-party identity provider.

Keycloak

Keycloak is a third-party open source component that implements a fully functional identity provider. Keycloak also supports federation and brokering to external third-party identity providers. Avaya Aura® Device Services supports the following Keycloak configurations:

  • Direct integration with an enterprise directory.

  • Brokering to an external third-party identity provider. Typically, this is your enterprise’s identity provider.

For more information about Keycloak, see Keycloak documentation.

External third-party identity provider

An identity provider manages identification information and authenticates users.

When Keycloak is configured to broker to an external identity provider, the Avaya Workplace Client user is redirected to the identity provider’s Login page. The user logs in directly with the identity provider, so the user’s credentials are only exchanged with the identity provider and are never passed through Avaya Aura® Device Services. The following are additional benefits of brokering:

  • The Avaya Workplace Client user logs in using a familiar Login screen, which is used by all other SSO-enabled applications.

  • The identity provider can implement additional authentication requirements, such as multi-factor authentication.

Avaya Aura® Device Services supports the following identity providers:

  • CA SiteMender (SAML v2.0)

  • Duo (SAML v2.0)

  • IBM Security Verify Access (SAML v2.0)

  • Imprivata (SAML v2.0)

  • Microsoft Active Directory Federation Services (SAML v2.0)

  • Microsoft Azure Active Directory (Azure AD, SAML v2.0)

  • Microsoft Office 365 (OAuth2)

  • OKTA (SAML v2.0)

  • OneLogin (SAML v2.0)

  • Ping Identity (SAML v2.0)

  • Shibboleth (SAML v2.0)