Overview
OpenMethods supports Single Sign-On (SSO) to allow users to authenticate using their existing corporate credentials. We support two industry-standard protocols:
OIDC OpenID Connect
Modern, JSON-based authentication layer on top of OAuth 2.0. Recommended for cloud-native identity providers like Azure AD, Okta, and Auth0. Easier to configure and debug.
SAML2 SAML 2.0
XML-based standard for exchanging authentication data. Ideal for legacy enterprise systems, ADFS, and on-premise identity solutions.
You must have the Owner role in the platform to configure SSO settings. Administrators can view settings but cannot make changes.
General Configuration
Regardless of your Identity Provider (IdP), you will need to register OpenMethods as an application in your IdP portal. Use the following endpoints for the configuration.
The URLs below use the default cloud domain. If you are on a private cloud instance, replace
auth.openmethodscloud.com with your specific environment domain.
Required Endpoints
SSO Callback URL
The endpoint where the IdP sends the authentication token after sign-in.
https://auth.openmethodscloud.com/sso/callback
Sign Out URL
The endpoint where users are redirected after logging out.
https://auth.openmethodscloud.com/sso/signout-callback
Redirect URL
The post-login redirect URL for your application.
https://auth.openmethodscloud.com/login
Entity ID / Audience URI (SAML Only)
The unique identifier for the Service Provider.
OM_WEB_APP_CORE
Azure Active Directory (Azure AD)
Azure AD is fully supported via both OIDC and SAML. We recommend OIDC for the simplest setup.
Configuration Steps (OIDC)
Register Application
In Azure Portal, go to App registrations > New registration. Name it "OpenMethods". Set Redirect URI to Web and enter the SSO Callback URL shown in your configuration page.
Generate Client Secret
Go to Certificates & secrets. Create a new client secret. Copy the Value immediately (not the Secret ID). You won't be able to see it again.
Gather Endpoints
Go to Overview > Endpoints. Copy the OpenID Connect metadata document URL.
Configure OpenMethods
In the Security Settings, select AzureAD provider. Enter the Client ID (Application ID), Client Secret, and Metadata URL.
Okta
Okta integration is seamless with OIDC. Follow these steps to create an OIDC App Integration.
Configuration Steps
Create App Integration
In Okta Admin, go to Applications > Create App Integration. Select OIDC - OpenID Connect and Web Application.
Configure Settings
Sign-in redirect URIs: https://auth.openmethodscloud.com/sso/callback
Sign-out redirect URIs:
https://auth.openmethodscloud.com/sso/signout-callback
Assignments: Allow access to Everyone or specific groups.
Get Credentials
Copy the Client ID and Client Secret from the General tab. Your
Metadata URL is your Okta domain + /.well-known/openid-configuration.
https://{your-okta-domain}.okta.com/.well-known/openid-configuration
PingOne
PingOne supports OIDC Web App integration.
Configuration Steps
Add Application
Go to Connections > Applications > + Add Application. Select OIDC Web App.
Configure Protocol
Redirect URIs: https://auth.openmethodscloud.com/sso/callback
Token Endpoint Auth Method: Client Secret Post.
Map Attributes
Ensure email, given_name, and family_name are mapped to the ID
Token.
Get Configuration
Enable the application. Copy Client ID, Client Secret, and the Issuer URL (Metadata URL) from the Configuration tab.
Other Providers (Auth0, ADFS, Generic)
OpenMethods can integrate with any OIDC or SAML2 compliant identity provider. Use the generic settings below.
Auth0
- Create a Regular Web Application.
-
Set Allowed Callback URLs to the SSO Callback URL
(
https://auth.openmethodscloud.com/sso/callback). -
Set Allowed Logout URLs to the Sign Out URL
(
https://auth.openmethodscloud.com/sso/signout-callback). -
Use the Domain (e.g.,
dev-xyz.us.auth0.com) to construct the Metadata URL:https://{domain}/.well-known/openid-configuration.
ADFS (Active Directory Federation Services)
ADFS 2016 or later is required for OIDC support. For older versions, use SAML2.
OIDC: Create an Application Group >
Server application accessing a web API.
SAML: Create a Relying Party Trust. Import data using the Entity ID
OM_WEB_APP_CORE (if metadata is available) or enter manually.
Field Reference
OIDC Fields
| Field | Required | Description |
|---|---|---|
| Client ID | Yes | The unique application identifier from your IdP. |
| Client Secret | Yes | The secret key/password for your application. |
| Authorization URL | Yes |
The OAuth 2.0 authorization endpoint from your IdP (e.g.,
login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize).
|
| Token URL | Yes |
The OAuth 2.0 token endpoint from your IdP (e.g.,
login.microsoftonline.com/{tenant}/oauth2/v2.0/token).
|
| Metadata URL | No | The OpenID Connect auto-discovery URL. If provided, other endpoints can be auto-discovered. |
SAML 2.0 Fields
SAML 2.0 supports two configuration methods: Metadata URL (auto-discovery) and Manual Configuration (certificate-based). The required fields depend on the method selected.
Metadata URL Method
| Field | Required | Description |
|---|---|---|
| Issuer (Entity ID) | Yes |
The unique identifier for the Identity Provider. Can be a URL, URN, or plain identifier (e.g.,
urn:amazon:cognito:sp:us-east-1_XXXXXXX). Must not contain whitespace.
|
| SAML Metadata URL | Yes | The Federation Metadata XML endpoint from your IdP. The platform validates this URL and uses it to automatically fetch certificates and endpoints. |
Manual Configuration Method
| Field | Required | Description |
|---|---|---|
| Issuer (Entity ID) | Yes | The unique identifier for the Identity Provider. Can be a URL, URN, or plain identifier. Must not contain whitespace. |
| Sign-On URL | Yes |
The SAML SSO endpoint where authentication requests are sent (e.g.,
identity-provider.example.com/saml/sso).
|
| Sign-Out URL | Yes |
The SAML SLO endpoint where logout requests are sent (e.g.,
identity-provider.example.com/saml/slo).
|
| IdP Certificate | Yes |
The X.509 certificate from your Identity Provider used for SAML assertion validation. Paste the full
PEM-encoded certificate including -----BEGIN CERTIFICATE----- and
-----END CERTIFICATE----- markers.
|