> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Wallix Trustelem Endpoint SSO (OpenID Connect)

> Use Wallix Trustelem OIDC to secure access to ngrok endpoints with single sign-on.

<Note>
  This guide refers to using SSO to authenticate access to your **endpoints**. You cannot use these instructions to set up SSO for logging into your ngrok account in the dashboard.
</Note>

This guide explains how to configure Wallix Trustelem as the primary Identity Provider for ngrok tunnels using single sign-on (SSO).
By integrating Wallix Trustelem SSO with ngrok, you can:

* Restrict access to ngrok tunnels only to users authenticated via Wallix Trustelem
* Use Wallix Trustelem security policies and MFA authenticators
* Use Wallix Trustelem's Dashboard to facilitate access to ngrok apps

The ngrok integration with Wallix Trustelem supports SP-Initiated SSO.
In this mode, users access ngrok endpoints and are redirected to Wallix Trustelem for authentication.

## What you'll need

* A Wallix Trustelem account with administrative rights to create apps.
* An ngrok Pay-as-you-go account with an authtoken or admin access to configure endpoints with OpenID Connect.

## 1. Configure Wallix Trustelem

* Access the WALLIX Trustelem administration console and sign in using your Trustelem account.
* On the **Dashboard** page, click **Apps** on the left menu, click **Add an application**, click the **OpenID Connect application** tile in the **Generic models** section.
* On the **Settings** popup, enter `ngrok oidc` in the **Name** field, enter `https://idp.ngrok.com/oauth2/callback` in the **RedirectURI** field, and enter `https://trustelem-sso-test.ngrok.app` in the **Login URL** field.
* On the **Settings** popup, make note of the value of both the **ClientID** and the **ClientSecret** fields, and then click **Save**.
* Make note of the value of the URL of the **Issuer** field and then click **Close**.

## 2. Configure ngrok

ngrok can use Wallix Trustelem SSO in two ways:

* From the ngrok CLI (using the `--oidc` parameter)
* From the ngrok dashboard

### **Option 1**: ngrok CLI

<Note>
  This tutorial assumes you have an app running locally (for example, on `localhost:3000`) with the ngrok client installed.
</Note>

* Launch a terminal.
* Enter the following command to launch an ngrok tunnel with Wallix Trustelem SSO:

  ```bash theme={null}
  ngrok http 3000 --oidc=TRUSTELEM_OAUTH_URL \
  --oidc-client-id=TRUSTELEM_CLIENT_ID \
  --oidc-client-secret=TRUSTELEM_CLIENT_SECRET \
  ```

  Replace the following with values:

  * TRUSTELEM\_OAUTH\_URL: The issuer URL you copied from the Trustelem console.
  * TRUSTELEM\_CLIENT\_ID: The client ID you copied from the Trustelem console.
  * TRUSTELEM\_CLIENT\_SECRET: The client secret you copied from the Trustelem console.

  Alternatively, add the `--url YOUR_DOMAIN` argument to get your custom URL, replacing `YOUR_DOMAIN` with your URL of preference.
* Copy the URL available next to **Forwarding** (for example, `https://trustelem-sso-test.ngrok.app`).
* Skip to **Step 3**.

### **Option 2**: Traffic Policy

<Note>
  This tutorial assumes you have an app running locally (for example, on `localhost:3000`) with the ngrok client installed.
</Note>

Create a `policy.yaml` file with the following content, replacing the placeholder values with those copied from Wallix Trustelem:

```yaml theme={null}
on_http_request:
  - actions:
      - type: openid-connect
        config:
          issuer_url: 'YOUR_TRUSTELEM_ISSUER_URL'
          client_id: 'YOUR_TRUSTELEM_CLIENT_ID'
          client_secret: 'YOUR_TRUSTELEM_CLIENT_SECRET'
          scopes:
            - openid
            - profile
            - email
```

Launch an ngrok tunnel with this policy:

```bash theme={null}
ngrok http 3000 --traffic-policy-file policy.yaml --url YOUR_DOMAIN
```

Copy the URL next to **Forwarding** (for example, `https://trustelem-sso-test.ngrok.app`).

## Grant access to Wallix Trustelem users

Wallix Trustelem allows its users to access OIDC-integrated apps.
To create a user, follow the instructions below:

* On the left menu of the WALLIX Trustelem administration console, click **Users** and then click **Create User**.
* Enter values for **First Name**, **Last Name**, and **Primary Email** fields, and then click **Save**.

## Test the integration

* In your browser, launch an incognito window.
* Access your ngrok tunnel (for example, `https://trustelem-sso-test.ngrok.app` or using the copied endpoint URL).
* You should be prompted to log in with your Wallix Trustelem credentials.
* After logging in, you should be able to see your web app.
