Single Sign-On Guide

Secure your OpenMethods environment with enterprise-grade SSO integration. Support for OIDC and SAML2 across all major identity providers.

Overview

OpenMethods supports Single Sign-On (SSO) to allow users to authenticate using their existing corporate credentials. We support two industry-standard protocols:

1

OIDC OpenID Connect

Modern, JSON-based authentication layer on top of OAuth 2.0. Recommended for cloud-native identity providers like Azure AD, Okta, and Auth0. Easier to configure and debug.

2

SAML2 SAML 2.0

XML-based standard for exchanging authentication data. Ideal for legacy enterprise systems, ADFS, and on-premise identity solutions.

⚠️ Role Requirement

You must have the Owner role in the platform to configure SSO settings. Administrators can view settings but cannot make changes.

General Configuration

Regardless of your Identity Provider (IdP), you will need to register OpenMethods as an application in your IdP portal. Use the following endpoints for the configuration.

ℹ️ Environment Domain

The URLs below use the default cloud domain. If you are on a private cloud instance, replace auth.openmethodscloud.com with your specific environment domain.

Required Endpoints

SSO Callback URL

The endpoint where the IdP sends the authentication token after sign-in.

https://auth.openmethodscloud.com/sso/callback

Sign Out URL

The endpoint where users are redirected after logging out.

https://auth.openmethodscloud.com/sso/signout-callback

Redirect URL

The post-login redirect URL for your application.

https://auth.openmethodscloud.com/login

Entity ID / Audience URI (SAML Only)

The unique identifier for the Service Provider.

OM_WEB_APP_CORE

Azure Active Directory (Azure AD)

Azure AD is fully supported via both OIDC and SAML. We recommend OIDC for the simplest setup.

Configuration Steps (OIDC)

1

Register Application

In Azure Portal, go to App registrations > New registration. Name it "OpenMethods". Set Redirect URI to Web and enter the SSO Callback URL shown in your configuration page.

2

Generate Client Secret

Go to Certificates & secrets. Create a new client secret. Copy the Value immediately (not the Secret ID). You won't be able to see it again.

3

Gather Endpoints

Go to Overview > Endpoints. Copy the OpenID Connect metadata document URL.

4

Configure OpenMethods

In the Security Settings, select AzureAD provider. Enter the Client ID (Application ID), Client Secret, and Metadata URL.

Okta

Okta integration is seamless with OIDC. Follow these steps to create an OIDC App Integration.

Configuration Steps

1

Create App Integration

In Okta Admin, go to Applications > Create App Integration. Select OIDC - OpenID Connect and Web Application.

2

Configure Settings

Sign-in redirect URIs: https://auth.openmethodscloud.com/sso/callback
Sign-out redirect URIs: https://auth.openmethodscloud.com/sso/signout-callback
Assignments: Allow access to Everyone or specific groups.

3

Get Credentials

Copy the Client ID and Client Secret from the General tab. Your Metadata URL is your Okta domain + /.well-known/openid-configuration.

https://{your-okta-domain}.okta.com/.well-known/openid-configuration

PingOne

PingOne supports OIDC Web App integration.

Configuration Steps

1

Add Application

Go to Connections > Applications > + Add Application. Select OIDC Web App.

2

Configure Protocol

Redirect URIs: https://auth.openmethodscloud.com/sso/callback
Token Endpoint Auth Method: Client Secret Post.

3

Map Attributes

Ensure email, given_name, and family_name are mapped to the ID Token.

4

Get Configuration

Enable the application. Copy Client ID, Client Secret, and the Issuer URL (Metadata URL) from the Configuration tab.

Other Providers (Auth0, ADFS, Generic)

OpenMethods can integrate with any OIDC or SAML2 compliant identity provider. Use the generic settings below.

Auth0

  • Create a Regular Web Application.
  • Set Allowed Callback URLs to the SSO Callback URL (https://auth.openmethodscloud.com/sso/callback).
  • Set Allowed Logout URLs to the Sign Out URL (https://auth.openmethodscloud.com/sso/signout-callback).
  • Use the Domain (e.g., dev-xyz.us.auth0.com) to construct the Metadata URL: https://{domain}/.well-known/openid-configuration.

ADFS (Active Directory Federation Services)

⚠️ ADFS Requirement

ADFS 2016 or later is required for OIDC support. For older versions, use SAML2.

OIDC: Create an Application Group > Server application accessing a web API.
SAML: Create a Relying Party Trust. Import data using the Entity ID OM_WEB_APP_CORE (if metadata is available) or enter manually.

Field Reference

OIDC Fields

Field Required Description
Client ID Yes The unique application identifier from your IdP.
Client Secret Yes The secret key/password for your application.
Authorization URL Yes The OAuth 2.0 authorization endpoint from your IdP (e.g., login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize).
Token URL Yes The OAuth 2.0 token endpoint from your IdP (e.g., login.microsoftonline.com/{tenant}/oauth2/v2.0/token).
Metadata URL No The OpenID Connect auto-discovery URL. If provided, other endpoints can be auto-discovered.

SAML 2.0 Fields

SAML 2.0 supports two configuration methods: Metadata URL (auto-discovery) and Manual Configuration (certificate-based). The required fields depend on the method selected.

Metadata URL Method

Field Required Description
Issuer (Entity ID) Yes The unique identifier for the Identity Provider. Can be a URL, URN, or plain identifier (e.g., urn:amazon:cognito:sp:us-east-1_XXXXXXX). Must not contain whitespace.
SAML Metadata URL Yes The Federation Metadata XML endpoint from your IdP. The platform validates this URL and uses it to automatically fetch certificates and endpoints.

Manual Configuration Method

Field Required Description
Issuer (Entity ID) Yes The unique identifier for the Identity Provider. Can be a URL, URN, or plain identifier. Must not contain whitespace.
Sign-On URL Yes The SAML SSO endpoint where authentication requests are sent (e.g., identity-provider.example.com/saml/sso).
Sign-Out URL Yes The SAML SLO endpoint where logout requests are sent (e.g., identity-provider.example.com/saml/slo).
IdP Certificate Yes The X.509 certificate from your Identity Provider used for SAML assertion validation. Paste the full PEM-encoded certificate including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.