I’ve been playing with OCIS in the lab and currently I’m trying to use external IdP with it ( Authentik, later on I’ll try Keycloak as well, but decided to use the one I’m faimiliar with first). Some questions arose during the process - can anyone help me out with it a bit 
?
- Is
COMPANION_DOMAINvariable intended to be used as IdP domain?
I couldn’t find info about it in the docs, but after initial failed connection attempt and checking the messages via devtools I’ve came to conclusion it should be set to the IdP provider domain so appropriate csp.yaml would be populated with this value and thus this external domain won’t be blocked. It worked - but as this was only my guess I’d prefer to make sure 
.
- Why separate providers are needed for desktop, phone and web apps?
This one baffled me. OCIS is probably the only app so far where I had to do it. In most of cases I set up OCIS provider once and call it a day.
- What’s the correct way of setting up the oidc provider?
While it somewhat works on my end it’s far from perfect. First of all - am I right you can’t set Authentik provider in private mode, I have to use public one (without client secret)? Any pointers on things I should focus on when setting it up?
- How do you prevent logging out when using external provider?
I’ve noticed that after a while, when using external IdP I’m being logged out - something that does not happen when using built-in oidc. Currently looking for setting that causes that - suggestions greatly appreciated.
- How do you get admin user?
This one is a bit silly - but how do you get admin user with external IdP? I’ve noticed that I need to set PROXY_AUTOPROVISION_ACCOUNTS to make external IdP actually usable (do I? should it be done differently?). If it’s down to group mappings - how do you do that? Can you do that on OCIS side or on IdP side? If the latter - which group should I add on IdP?
).