# Authentication Issuer - Custom Identity 1. [Home](https://www.agilicus.com/) 2. Authentication Issuer – Custom Identity ![](https://www.agilicus.com/www/fc240c96-undraw_authentication_re_svpt.svg)When your identity provider is custom --- ## Authentication Issuer - Custom Identity An Identity provider holds the user database, and, authenticates users against it. Agilicus supports any OpenID-Connect based identity provider. This includes Okta, Microsoft, Google, etc. [CONTACT](/contact-us/) ## Authentication Issuer - Custom Identity An Identity provider holds the user database, and, authenticates users against it. Agilicus supports any OpenID-Connect based identity provider. This includes Okta, Microsoft, Google, etc. Most customers will use the 'Shared Identity' feature which is zero-touch configuration. However, some will wish to implement custom rules inside their identity provider, requiring creation of a 'new application registration'. To add a custom provider, select 'add provider' [![](https://www.agilicus.com/www/a3513275-image-1024x738.png)](https://www.agilicus.com/www/a3513275-image.png)You will see two choice: 'Azure Active Directory' (which will give you a guided walk through), or, 'Other'. In other you will configure a row in a table. [![](https://www.agilicus.com/www/7ba4b661-image.png)](https://www.agilicus.com/www/7ba4b661-image.png)[![](https://www.agilicus.com/www/d17bf7ec-image.png)](https://www.agilicus.com/www/d17bf7ec-image.png)Once you have added the row, you have these columns: - name -- what the user will see on the sign in page - issuer -- the URI (e.g. https://login.microsoftonline.com/TENANTID/v2.0) - icon -- from your theme, e.g. `google`, `microsoft` - client id -- as given by your identity provider (e.g. TENANTID) - secret -- as given by your identity provider - auto-create -- if set, users will be created automatically in Agilicus if they can sign in via this upstream identity provider. Do not use with public providers. - type -- Generic (or Microsoft for non-compatible extensions) - offline consent -- if true, ask for consent to do `refresh` flow (aka offline) - request user info -- if true attempt to fetch additional user info (e.g. group mappings) - issuer external host -- leave blank typically - username key -- blank (or e.g. username, email, etc) - email key -- typically email - verifies email -- if set the upstream provider forces verification of email address - redirect uri -- the redirect URI to your Agilicus-provided authentication federation. Typically https://auth.\_\_REGION\_DOMAIN\_NAME\_\_/callback You may also use the action-button (3-dots) to configure group mappings, these will import groups from your upstream identity provider automatically ---