Connectivity

If you filter outbound web traffic from your network, you may need to whitelist Groove.id. The following provides information about the connectivity requirements for Groove.id to work.

Please note that this may change from time to time. You may notice that many of the hostnames listed here resolve to the same set of IP addresses. Please do not rely on this fact.

Web Console

To use Groove.id, web users must be able to access the following URLs, all on TCP port 443:

https://groove.id
https://auth.groove.id
https://api.groove.id
https://static.groove.id
Your canonical URL, which will match the pattern https://*.auth.groove.id.
Each of the vanity URLs that are configured, e.g. https://signin.example.com or https://salesforce.example.com

The connections to https://api.groove.id rely on WebSockets, which may cause problems with some HTTPS man-in-the-middle proxies. You may need to disable man-in-the-middle for https://api.groove.id.

SSH agent

The Groove.id SSH Agent needs to communicate with https://api.groove.id on TCP port 443 as well as the vanity URL that you provide during the installation process. (e.g. https://signin.example.com)

Active Directory

The Groove.id Active Directory Agent needs only to communicate with https://api.groove.id on TCP port 443.

Linux Local User service

The Groove.id Local User service needs only to communicate with https://api.groove.id on TCP port 443.

RADIUS

The Groove.id RADIUS proxy needs only to communicate with https://api.groove.id on TCP port 443.

LDAP

If you use the LDAP configuration, your devices will need to contact auth.groove.id on TCP port 636.

Last modified May 12, 2020: refactor docs (d7a7a5c1d)