Ask AI
Skip to main content

Single Sign-On (SSO) Setup Guide with OIDC/OAuth2.0

This manual explains how to enable Single Sign-On (SSO) with an external Identity Provider using OpenID Connect (OIDC 1.0) and OAuth2.0 in your workspace.

Functional Description

When you want to integrate your application or workspace with an external Identity Provider (IdP), SSO allows your users to authenticate once with the IdP and then gain access without repeatedly logging in.

Supported IdPs include:

  • OpenID Connect (OIDC - default)
  • Azure AD / Entra ID
  • Google Identity Provider
  • Wallix Trustelem

Step-by-step Guide

Step 1: Open Workspace Properties

  • Go to your workspace and locate the Properties menu on the top left of the screen.

Step 2: Access Authentication

  • Navigate to the Authentication tab.

Step 3: Configure Identity Provider

  • Click on Configure Identity Provider.

Step 4: Select the Identity Provider

  • Choose which provider you want to configure:
    • OpenID Connect (OIDC) — default connector
    • Azure AD / Entra ID
    • Google IdP
    • Wallix Trustelem

Step 5: Configure Identity Provider Settings

Provide the required configuration details as per OIDC standards:

  • Name: Internal reference name for this IdP.
  • Display Name: Shown on the login page for the user.
  • Discovery Endpoint: The URL published by the IdP that allows automatic discovery of endpoints and public keys (only required for OIDC).
  • Client ID: Identification number assigned by the IdP for your application.
  • Client Secret: Secret key provided by the IdP to authenticate your application.
  • Force login with this IdP (optional):
    • If checked → this IdP is enforced as the default login option.
    • If unchecked → IdP will be shown as one of multiple login options on your login page.

Step 6: Configure Login Actions

  • If you did not choose "Force login with this IdP":
    • Go to Actions.
    • Edit your login template and add a button with action type:
      • "Login with IDP".
    • Assign the Name of the IdP you added in Step 5.

Human-Friendly OIDC Explanation

What is OIDC?

OpenID Connect (OIDC) is an identity layer built on top of OAuth2.0.
It allows applications to verify a user’s identity and obtain their basic profile info securely.

Here’s how it works in simple terms:

  • You click “Login with Provider”.
  • Your app redirects you to the Identity Provider (e.g., Google, Azure AD).
  • You enter your credentials (only once, securely at the IdP).
  • The IdP verifies you and sends back an ID Token (proof of who you are).
  • Your app trusts this token and logs you in — without storing your password.

What Happens "Under the Hood"

OIDC uses a few key components:

  1. Discovery Endpoint (.well-known/openid-configuration)

    • A special URL published by the IdP.
    • It tells your app where to find:
      • Authorization endpoint (where to redirect users for login).
      • Token endpoint (where to exchange codes for tokens).
      • Public keys (used to validate ID tokens).

  2. Client ID

    • Your application’s public identifier registered with the IdP.

  3. Client Secret

    • Like a password for your app to prove it really is allowed to use the IdP.

  4. Tokens

    • ID Token: Contains who the user is (identity claim).
    • Access Token: Short-lived key to access APIs.
    • Refresh Token: Lets you get new access tokens without logging in again.

✅ With OIDC, you never handle user passwords directly — you delegate login to a trusted Identity Provider and only receive secure tokens in return.