Prerequisites
Before configuring OpenID Connect, ensure you have:
- Organisation Administrator access to Discngine Admin Center
- Access to your organization's OpenID Connect provider (Azure AD, Okta, etc.)
- Client ID and Client Secret from your OpenID Connect provider
- Authorization and Token endpoint URLs from your provider
Overview
Adding SSO login for your corporate OpenID Connect provider to Discngine Admin Center is simple. This guide covers the general configuration steps that apply to any OIDC-compliant provider, as well as links to provider-specific guides.
Provider-Specific Guides
We provide step-by-step guides for these providers:
If your provider is not listed, follow the generic steps below. For additional assistance, contact support@discngine.com.
How to Configure a Generic OIDC Provider
Step 1: Gather Information from Your Provider
Log in to your identity provider's admin console and locate the following information:
| Information | Where to find it | Example |
|---|---|---|
| Issuer URL | Usually in the provider's OIDC settings or well-known configuration | https://idp.example.com/.well-known/openid-configuration |
| Client ID | Created when you register Discngine as an application in your IdP | abc123-def456-... |
| Client Secret | Generated alongside the Client ID | secret-value |
When registering Discngine Admin Center as an application in your provider, use the following redirect URI:
https://account.discngine.cloud/oauth2/callback
Tip: Most providers that support OpenID Connect auto-discovery only require the Issuer URL. The Admin Center will automatically resolve the authorization, token, and userinfo endpoints.
Step 2: Configure in the Admin Center
- In the Admin Center, navigate to Identity Providers.
- Click New Provider +.
- Select OpenID Connect as the provider type.
- Fill in the configuration:
- Name: A descriptive name (e.g., "Corporate SSO")
- Issuer URL: The issuer URL from Step 1
- Client ID: The client ID from Step 1
- Client Secret: The client secret from Step 1
- Click Save.
Step 3: Assign Applications
- On the Identity Providers page, click the Enable/Disable button next to the new provider.
- Move the applications you want to protect with this IdP to the right-hand list.
- Click Save.
Step 4: Test
- Open the Admin Center login page.
- Enter an email address from a domain associated with your IdP.
- Verify that you are redirected to your provider's login page.
- After authenticating, verify that you are returned to the Admin Center with the correct access.
Login with OpenID Connect
Once you have completed this configuration you will be able to log in with your OpenID Connect provider:
- Open
https://admin-<organisation-name>.discngine.cloud/ - Type your login (your email)
- If an OpenID Connect Identity Provider is enabled, then you will be redirected to your corporate login page.
Disable an OpenID Connect Identity Provider
⚠️ Warning
Don't lock yourself out! Make sure you have enabled local login for your user before disabling your Identity Providers! To do so: navigate to Users → Edit your user and enable local authentication.
You can temporarily disable your OpenID Connect provider by either:
- Clicking on the
Enable/Disable 🔒button in the Identity Providers page - Opening the Identity Provider Configuration page and toggling the enable/disable radio button
After disabling the OpenID Connect Provider, you will be able to log in with local accounts.
Troubleshooting
| Problem | Solution |
|---|---|
| Users are not redirected to the IdP | Verify the Issuer URL is correct and the provider is Enabled |
| "Invalid redirect URI" error | Ensure the redirect URI (https://account.discngine.cloud/oauth2/callback) is registered in your IdP |
| "Invalid client credentials" | Verify the Client ID and Client Secret match what your IdP expects |
| Users can log in but have no access | Check that the IdP is assigned to the correct applications (Enable/Disable button) |
| Login works for some users but not others | Verify the user's email domain matches the domain configured in your IdP |