WebsiteBlogLogin

Single Sign-On (SSO) with OpenID

Note that you'll only see this section if you have Admin or Owner user permissions. Learn more about permissions in this article.

Overview

OpenID Connect (OIDC) is an open standard that provides user authentication features. It uses an external identity provider (IdP) to authenticate the user and enable single sign-on (SSO). It builds on top of OAuth 2.0, adding authentication capabilities to the authorization framework. Essentially, OIDC enables Single Sign-On (SSO) by delegating authentication to a trusted identity provider.

OpenID Connect satisfies requirements for identity and access in the following ways:

  • Authentication - The service provider agrees to trust the identity provider to authenticate users.

  • Authorization - Upon request, the identity provider generates an authentication assertion. This means that the user has been successfully authenticated, and the service provider can grant the user access to certain systems or content.

Enable Onum as a service provider

If you're an admin user, follow these steps to activate OpenID Connect authentication for the users in your tenant:

1

Open the global settings menu by clicking your user icon at the bottom left of the screen.

2

Click any of the options and select Authentication in the menu that appears.

3

Once there, click the Configure Single-Sign-On button.

4

You'll be prompted to enter the following information provided by your identity provider:

Parameter
Description

Client ID*

The public identifier for your app. It lets the Identity Provider know which application is making the login request. This is always a string, often a UUID-like value, e.g. 1234567890abcde.apps.googleusercontent.com

Issuer (URL)*

URL of the OpenID provider's authorization server. It tells your app where to find the IdP’s metadata (endpoints, public keys, etc.). This is always an HTTPS URL, for example: https://idp.example.com/

Client secret*

Secret used to authenticate your app. Proves to the IdP that your app really is the one associated with the Client ID.

5

Click Save once you're done. You'll be given the following URLs:

  • Home URL - This is the main entry point for the users in your tenant. This is where users will land after they log in, or where they’re redirected if they visit the app directly.

  • Callback URL - This is the endpoint that the OpenID provider redirects to after a user successfully logs in. It’s where Onum receives the authorization code needed to complete the login process.

Note that the Callback URL must be registered with the OpenID provider, or the login flow will be blocked for security reasons.

You have now set Single Sign-On authentication in your tenant. You can click Reset configuration if you did something wrong or need to update any information.

Sign in with Single Sign-On authentication

Once you have activated Single Sign-On authentication in your tenant, users will see a Sign in with SSO button in their Onum login screens.

They will need to enter the Tenant slug, which will redirect users to their identity provider and complete the login flow properly. This is the part that comes after sso= in the provided Home URL. Users must be given this slug so that they can log in using this method.

PreviousUse Okta as your Identy ProviderNextUsers

Last updated

Was this helpful?