SSO Configuration

The SSO Configuration page allows administrators to enable and configure Single Sign-On (SSO) using OpenID Connect (OIDC). When enabled, users authenticate through an external identity provider instead of local application credentials.

Accessing SSO Settings

SSO configuration is available exclusively to administrators through the Admin panel.

Enabling SSO

1. Navigate to the Admin panel from the user profile menu.

2. Click the SSO Configuration tab.

3. Toggle the SSO Active switch to enable Single Sign-On.

4. Complete the OIDC configuration fields described below.

OIDC Configuration

Field	Description
Issuer URL	The OIDC provider’s issuer endpoint (e.g., https://accounts.google.com or your organization’s identity provider URL)
Client ID	The application client ID registered with the identity provider
Client Secret	The application client secret (encrypted at rest)
Redirect URI	The callback URL the identity provider redirects to after authentication
Scopes	OIDC scopes requested during authentication (e.g., openid, profile, email)
Login Button Label	Custom text displayed on the SSO login button (e.g., “Sign in with Okta”)

Validation

The system validates the OIDC configuration by performing a discovery request against the issuer URL. The issuer must expose a valid /.well-known/openid-configuration endpoint. Validation occurs immediately when the configuration is saved.

Behavior

• Immediate effect: Changes to SSO settings apply immediately without requiring an application restart.
• Encryption: Sensitive data, including the Client Secret, is encrypted at rest.
• Persistence: SSO settings persist across application restarts.
• Enforcement: When SSO is enabled, the login page displays both the local login form and an SSO button. Both authentication methods remain available in the UI.
• Fallback: If no admin-configured SSO settings exist, the system falls back to environment-based OIDC configuration (environment variables).

Tip

Test your OIDC configuration with a non-admin account before enforcing SSO for all users. This ensures the identity provider integration works correctly without locking out administrators.

Caution

When SSO is enabled, both local and SSO authentication are available on the login page. Ensure your identity provider is accessible and properly configured before directing users to authenticate via SSO.

Danger

Disabling SSO re-enables local authentication for all users. Any users who were created exclusively through SSO will need a local password set by an administrator before they can log in with local credentials.