# Single Sign-On (SSO) with OpenID

{% hint style="warning" %}
Note that you'll only see this section if you have Owner user permissions. Learn more about permissions in [this article](/administration/global-settings/tenant/users.md).
{% endhint %}

## Overview

**OpenID Connect (OIDC)** is an open standard that provides user authentication features. It uses an **external identity provider (IdP)** to authenticate the user and enable single sign-on (SSO). It builds on top of OAuth 2.0, adding authentication capabilities to the authorization framework. Essentially, OIDC enables Single Sign-On (SSO) by delegating authentication to a trusted identity provider.

OpenID Connect satisfies requirements for identity and access in the following ways:

* **Authentication** - The service provider agrees to trust the identity provider to authenticate users.
* **Authorization** - Upon request, the identity provider generates an authentication assertion. This means that the user has been successfully authenticated, and the service provider can grant the user access to certain systems or content.

## Enable Onum as a service provider

If you're an admin user, follow these steps to activate OpenID Connect authentication for the users in your tenant:

{% stepper %}
{% step %}
Open the global settings menu by clicking your user icon at the bottom left of the screen. 
{% endstep %}

{% step %}
Click any of the options and select **Authentication** in the menu that appears.
{% endstep %}

{% step %}
Once there, click the **Configure Single-Sign-On** button.

<figure><picture><source srcset="/files/6YutBVyLZIprcrzQQ7Xx" media="(prefers-color-scheme: dark)"><img src="/files/raiMy5JKJlqfYcIq6csN" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
You'll be prompted to enter the following information provided by your identity provider:

<table><thead><tr><th width="169.8125">Parameter</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Client ID</strong><mark style="color:red;"><strong>*</strong></mark></td><td>The public identifier for your app. It lets the Identity Provider know which application is making the login request. This is always a string, often a UUID-like value, e.g. <code>1234567890abcde.apps.googleusercontent.com</code></td><td></td></tr><tr><td><strong>Issuer (URL)</strong><mark style="color:red;"><strong>*</strong></mark></td><td>URL of the OpenID provider's authorization server. It tells your app where to find the IdP’s metadata (endpoints, public keys, etc.). This is always an HTTPS URL, for example: <code>https://idp.example.com/</code></td><td></td></tr><tr><td><strong>Client secret</strong><mark style="color:red;"><strong>*</strong></mark></td><td>Secret used to authenticate your app. Proves to the IdP that your app really is the one associated with the Client ID.</td><td></td></tr></tbody></table>

<figure><picture><source srcset="/files/jb1iWTHbiueRCE4LipUO" media="(prefers-color-scheme: dark)"><img src="/files/CiBttFh041uZxh1iwhQE" alt=""></picture><figcaption></figcaption></figure>
{% endstep %}

{% step %}
Click **Save** once you're done. You'll be given the following URLs:

* **Home URL** - This is the main entry point for the users in your tenant. This is where users will land after they log in, or where they’re redirected if they visit the app directly.
* **Callback URL** - This is the endpoint that the OpenID provider redirects to after a user successfully logs in. It’s where Onum receives the authorization code needed to complete the login process.

{% hint style="warning" %}
Note that **the** **Callback URL** **must be registered** **with the OpenID provider**, or the login flow will be blocked for security reasons.
{% endhint %}
{% endstep %}
{% endstepper %}

You have now set Single Sign-On authentication in your tenant. You can click **Reset configuration** if you did something wrong or need to update any information.

<figure><picture><source srcset="/files/uTADcVA9y888FD2eNbsm" media="(prefers-color-scheme: dark)"><img src="/files/ocUV7cOpOqo50RcOnlyF" alt=""></picture><figcaption></figcaption></figure>

## Sign in with Single Sign-On authentication

Once you have activated Single Sign-On authentication in your tenant, users will see a **Sign in with SSO** button in their Onum login screens. They will need to enter the **tenant slug**, which will redirect users to their identity provider and complete the login flow properly.

Your **tenant slug** is the name of your tenant in small letters, and with spaces replaced by hyphens (`-`). For example, the slug of a tenant named `John Smith` will be `john-smith`. Also, if there's more than one tenant with the same name, a number will be added at the end (`test`, `test-1`, `test-2`...)

<figure><img src="/files/PUrbUWoMinLqMyRpHMhf" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/administration/global-settings/tenant/authentication/single-sign-on-sso-with-openid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.