See openid-connect Menu

Connect an OIDC enabled app

To connect your OpenID Connect-enabled app to OneLogin, you must:

  1. Add an OpenId Connect app to your company app catalog.
  2. Provide users with access to the app in OneLogin.


  • A OneLogin account. If you need a free developer account, sign up here.
  • Any OpenID-Connect-enabled app that uses the Implicit or Authorization (Basic) flow

Add an OpenId Connect app to your company app catalog

  1. Access your OneLogin Administration portal and select Apps.

  2. Select Add App to add a new app. Search for OpenId Connect

  3. Search for “OpenId Connect” or “oidc” then select the OpenId Connect (OIDC) app Search for OpenId Connect

  4. Name the app and click Save. Search for OpenId Connect

  5. On the Configuration tab, enter the Redirect URI that your app uses as the callback endpoint. This is where OneLogin sends the authentication response and ID token. Search for OpenId Connect

    Redirect URI - After the user authenticates we only allow redirects back to items on the comma-separated list of URLs (or new-line). HTTPS is required. Http://localhost is only permitted for development purposes, don’t use in production.

    Note: If you edit this field, the new value won’t appear for up to 10 minutes due to caching.

    Login URL - In this optional URL field, enter the URL your users access to sign in to the app. Optional URL is required if users want to launch the app from the OneLogin portal. OpenID Connect enables service-provider-initiated (SP-initiated) SSO, but not identity-provider-initiated (IdP-initiated) SSO. When you provide a Login URL, OneLogin mimics an IdP-initiated SSO experience: the user is directed to the app’s login page, where the SP-initiated authentication flow begins.

  6. On the SSO tab, copy the Client ID & Client Secret values and use these in your OpenID-Connect-enabled app. Search for OpenId Connect

    Client ID - Public key, issued by OneLogin. It must be recorded by your app and passed with each request for an access token.

    Client Secret - Private key, used by the client to exchange an authorization code for a JWT token. Click Regenerate client secret to generate a client secret. For security purposes, don’t hard code this in apps.

    OpenID Provider Configuration Information - If your app supports self-discovery using provider metadata endpoints, this is where it locates details about OneLogin’s OpenID Connect implementation for this connector, including supported claims, grant types, and JSON Web Key (JWK) signing and encryption information.

    Token Endpoint - In the OpenId Connect Authorization flow, select POST or Basic, depending on the protocol your app employs to fetch an access token. For Dotnet or Node.js/Passport based apps, POST is most common.

    Token Timeout Settings - Only apply when using the Resource Owner Password Grant.

Give Users Access to Your App in OneLogin

To provide users access to your app in OneLogin, return to the app configuration page in OneLogin and go to the Access tab. Assign the OneLogin roles that require access to the app and provide any app security policy that you require.

For example, create an app policy that requires multi-factor authentication.

Go to Users > All Users to add the app to individual user accounts.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "openid-connect onelogin"