This guide walks administrators through configuring OpenID Connect (OIDC) single sign-on for SecureAI. Once configured, users in your organization can sign in with their existing identity provider credentials.
Prerequisites
Before you begin, ensure you have:
- Admin access to your SecureAI instance.
- An OIDC-compatible identity provider (e.g., Okta, Azure AD, Google Workspace, Keycloak, Auth0).
- The following details from your identity provider:
- Client ID
- Client Secret
- Discovery URL (also called the well-known endpoint, e.g.,
https://your-idp.example.com/.well-known/openid-configuration)
Step 1: Register SecureAI in Your Identity Provider
In your identity provider's admin console, create a new OIDC application:
- Set the Application type to "Web application."
- Set the Redirect URI (callback URL) to:
https://<your-secureai-domain>/oauth/oidc/callback - Set the Post-logout redirect URI to:
https://<your-secureai-domain> - Under Scopes, ensure the following are enabled:
openidprofileemail
- Save the application and copy the Client ID and Client Secret.
Note: The exact steps vary by provider. See Provider-Specific Examples below for common configurations.
Step 2: Configure OIDC in SecureAI
- Log in to SecureAI as an administrator.
- Navigate to Admin Panel > Settings > Authentication.
- Under Single Sign-On, select OIDC as the provider type.
- Fill in the following fields:
| Field | Value |
|---|---|
| Provider Name | A display name for the sign-in button (e.g., "Sign in with Okta") |
| Client ID | The Client ID from your identity provider |
| Client Secret | The Client Secret from your identity provider |
| Discovery URL | Your provider's OpenID Connect discovery URL |
| Scopes | openid profile email (space-separated) |
- Click Save.
Step 3: Configure User Provisioning
Choose how new SSO users are handled when they sign in for the first time:
- In Admin Panel > Settings > Authentication, scroll to User Provisioning.
- Select one of the following:
| Option | Behavior |
|---|---|
| Auto-create users | A new SecureAI account is created automatically on first SSO login. Users are assigned the default role. |
| Require pre-registration | Only users who already have a SecureAI account (matching by email) can sign in via SSO. |
- Click Save.
Step 4: Test the Configuration
- Open a private/incognito browser window.
- Navigate to your SecureAI login page.
- You should see a button labeled with your Provider Name (e.g., "Sign in with Okta").
- Click it and sign in with a test account from your identity provider.
- Verify that:
- You are redirected back to SecureAI after authentication.
- Your name and email appear correctly in your SecureAI profile.
- The correct role is assigned.
Important: Test with a non-admin account first. Keep a separate browser session with local admin credentials open in case you need to adjust settings.
Step 5: Roll Out to Your Organization
Once testing is complete:
- Communicate the new sign-in process to your users.
- Optionally, disable password-based login in Admin Panel > Settings > Authentication by toggling Allow password login to off.
- If you disable password login, ensure at least one admin account retains local credentials as a fallback.
Provider-Specific Examples
Okta
- In Okta Admin, go to Applications > Create App Integration.
- Select OIDC - OpenID Connect and Web Application.
- Set the redirect URI to
https://<your-secureai-domain>/oauth/oidc/callback. - Assign users or groups to the application.
- Discovery URL:
https://<your-okta-domain>/.well-known/openid-configuration
Azure AD (Entra ID)
- In Azure Portal, go to Azure Active Directory > App registrations > New registration.
- Set the redirect URI to
https://<your-secureai-domain>/oauth/oidc/callback(type: Web). - Under Certificates & secrets, create a new client secret.
- Under API permissions, ensure
openid,profile, andemailare granted. - Discovery URL:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
Google Workspace
- In Google Cloud Console, go to APIs & Services > Credentials > Create OAuth client ID.
- Set the application type to Web application.
- Add the redirect URI:
https://<your-secureai-domain>/oauth/oidc/callback. - Discovery URL:
https://accounts.google.com/.well-known/openid-configuration
Keycloak
- In your Keycloak realm, go to Clients > Create.
- Set Client Protocol to
openid-connectand Access Type toconfidential. - Set the redirect URI to
https://<your-secureai-domain>/oauth/oidc/callback. - Discovery URL:
https://<keycloak-host>/realms/<realm-name>/.well-known/openid-configuration
Troubleshooting
"Redirect URI mismatch" error
The redirect URI in your identity provider does not match the one SecureAI sends. Verify that the callback URL is exactly:
https://<your-secureai-domain>/oauth/oidc/callback
Trailing slashes and protocol (http vs. https) matter.
User is authenticated but gets "Access Denied"
If Require pre-registration is enabled, the user must have an existing SecureAI account with a matching email address. Either create the account first or switch to Auto-create users.
SSO button does not appear on the login page
Verify that you saved the OIDC configuration and that the Discovery URL is reachable from your SecureAI instance. Check Admin Panel > Settings > Authentication to confirm the configuration is active.
Claims mapping issues
If user names or emails are not populating correctly, your identity provider may use non-standard claim names. Contact support with your provider's token sample (with sensitive values redacted) for assistance.