Overview
OpenID Connect (OIDC) is an identity layer built based on top of the OAuth 2.0 protocol. OIDC facilitates single sign-on (SSO) to verify the identity of the users based on the authentication performed using your organization’s identity provider (IdP) and authorizes the users to any resources in the Syniti Knowledge Platform (SKP).
OIDC uses JavaScript Object Notation (JSON) and JSON Web Token (JWT) to securely transmit information between the SKP and your organization’s IdP. With OIDC SSO, once you log in to the SKP, you are automatically authenticated to different modules and services without needing to log in again.
The following IdPs are supported for OIDC SSO, but are not limited to:
Okta. Refer to Configuring OIDC SSO with Okta for information on SSO integration with the SKP.
Microsoft Entra ID, formerly Azure Active Directory
PingFederate
SiteMinder
Note
Any identity provider using OIDC is also supported.
Configure OIDC SSO using an IdP
You can use your organization’s IdP to configure OIDC SSO with the SKP. This section describes the data required from your organization’s IdP and the SKP to set up the OIDC SSO feature for accessing the SKP.
Note
This article is intended for your organization’s Administrator who also has an Administrator account in the SKP.
Prerequisites
Currently, only the Microsoft Entra ID’s URL (https://login.microsoftonline.com) is trusted within Syniti’s network and security policies. To trust your organization’s IdP URL, you have to submit a request to Syniti Support.
You must be an SKP Administrator for your tenant that uses SKP-initiated sign-on page to configure the OIDC settings in the SKP.
Note
This SKP Administrator account must be the initial administrator account (which uses a trusted domain) sent to you during the provisioning process by the Syniti’s Customer Success team.
If you require additional domains to get added and activated in your tenant for using the SKP-initiated sign-on page, you have to submit a request to Syniti Support.
Ensure that you have an Administrator account in your IdP.
Your IdP uses a 2-hour or longer lifespan for session tokens and identity tokens.
For testing purposes, ensure that you create a temporary user account in your organization domain.
Each OIDC authentication request is valid for a limited time. Therefore, ensure that your IdP server’s time is synchronized with Network Time Protocol.
If your organization uses an authenticator tool for multi-factor authentication (MFA) in the IdP, ensure that MFA is active and functioning correctly.
Note
Based on your organization’s IdP, the below SSO configuration may differ.
Set Up the IdP
Create a new application in your organization’s IdP for the SKP.
Enter the following data to your IdP using the below Syniti’s Redirect URIs that matches your SKP tenant region:
Sign-In Redirect URI
Sign-Out Redirect URI
SKP Tenant Region
Sign-In Redirect URI
Sign-Out Redirect URI
Americas
https://api.syniti.com/oauth/signin/callbackhttps://login.syniti.com/homeAustralia
https://api.syniti.au/oauth/signin/callbackhttps://login.syniti.au/homeEMEA
https://api.syniti.eu/oauth/signin/callbackhttps://login.syniti.eu/homeCanada
https://api.syniti.ca/oauth/signin/callbackhttps://login.syniti.ca/homeProvision the required users or user groups with the temporary user account to the new application.
Save the new application created for the SKP in your organization’s IdP.
After saving the IdP configuration, obtain the following details from your organization’s IdP:
Client ID
Client Secret
Issuer URI
Note
Metadata URI can be created using the following format: <Issuer URI>/.well-known/openid-configuration. The following data and endpoints can be extracted using the Metadata URI from the registered application in your IdP:
Token Scopes
JWK URL
Login URL
Logout URL
Token URL
User Metadata Attributes
Set Up OIDC SSO in the SKP
Log into the SKP using the Syniti provisioned administrator account to access and log in using the SKP-initiated sign-on page.
.png?sv=2022-11-02&spr=https&st=2026-02-13T07%3A59%3A56Z&se=2026-02-13T08%3A15%3A56Z&sr=c&sp=r&sig=OtjtLP%2FICaUmUGswrYzumdbjcTCTzb79jI%2BbJaZmMLI%3D)
SKP-initiated sign-on page
Select Admin from the Profile menu to access the Admin module of the SKP.
In the Admin menu, click Single Sign-On.
.png?sv=2022-11-02&spr=https&st=2026-02-13T07%3A59%3A56Z&se=2026-02-13T08%3A15%3A56Z&sr=c&sp=r&sig=OtjtLP%2FICaUmUGswrYzumdbjcTCTzb79jI%2BbJaZmMLI%3D "image(590).png")
Click Configure SSO. The Edit Single Sign On dialog box is displayed.
Select the OIDC option to enable the fields related to OIDC SSO configuration.
Important!
Once you save your OIDC SSO configuration, you cannot switch to the Security Assertion Markup Language (SAML) 2.0 protocol. Ensure that you select the SSO 2.0 protocol correctly.
To switch to the SAML 2.0 protocol, you must contact Syniti Support.
.png?sv=2022-11-02&spr=https&st=2026-02-13T07%3A59%3A56Z&se=2026-02-13T08%3A15%3A56Z&sr=c&sp=r&sig=OtjtLP%2FICaUmUGswrYzumdbjcTCTzb79jI%2BbJaZmMLI%3D "image(592).png")
In the SSO Configuration Name field, enter a unique name for your organization.
Configure the following OIDC settings:
Field Name
Description
Additional Comments
Client ID
Enter the unique identifier issued for the new SKP application by your IdP’s authorization server.
Not applicable
Client Secret
Client secret used with the Client ID to authenticate the SKP against the IdP’s authorization server.
Copy the Client Secret value from your IdP and paste it into the Client Secret field in the SKP.
Token Scope
A space-delimited list of scopes to specify the permissions or access rights for the SKP. The following three scope values are required:
openid
email
profile
Enter the scope values in the following format:
openid email profile
JWKS URI
The JSON Web Key Set (JWKs) endpoint contains public keys, published by your IdP’s authorization server. The SKP uses these keys to validate the token or key signature against the IdP’s authorization server.
Obtain this endpoint using the JWKS_URI attribute from the Metadata URI. This endpoint appears in the following format, but may differ as per your IdP:
"jwks_uri":"https://<authorization-server-domain>/keys"
"jwks_uri":"https://<authorization-server-domain>/certs"
Login URL
Login URL required for the users to log into the SKP application configured in your IdP.
Obtain this endpoint using the authorization_endpoint attribute from the Metadata URI. This endpoint appears in the following format, but may differ as per your IdP:
"authorization_endpoint":"https://<authorization-server-domain>/authorize"
"authorization_endpoint":"https://<authorization-server-domain>/auths”
Logout URL
Logout URL to log out from the SKP configured in your IdP.
Obtain this endpoint using the end_session_endpoint attribute from the Metadata URI. This endpoint appears in the following format, but may differ as per your IdP: "end_session_endpoint":"https://<authorization-server-domain>/logout"
Token URL
Token URL for the SKP to exchange an authorization code for an access token on the IdP’s authorization server.
Obtain this endpoint using the token_endpoint attribute from the Metadata URI. This endpoint appears in the following format, but may differ as per your IdP: "token_endpoint":"https://<authorization-server-domain>/token"
In the User Metadata Attributes section, enter the below values to the corresponding fields on the page. The SKP requests these attributes when you include the following scopes in the authorization requests, such as openid, profile, and email.
Field Name
Description
Example Attribute Value in the Metadata
Name
Display name of the user.
Enter the claim name as name.
Email Address
Email address of the user.
Enter the claim name as email.
Identifier
Primary identifier for the user in the directory. Immutable and globally unique.
This attribute can vary based on the IdP. Enter the claim name as sub or id.
Select Save to complete your SSO configuration in the SKP.
On the Single Sign-On page, turn on the Active toggle button to activate the SSO configuration for your organization.
.png?sv=2022-11-02&spr=https&st=2026-02-13T07%3A59%3A56Z&se=2026-02-13T08%3A15%3A56Z&sr=c&sp=r&sig=OtjtLP%2FICaUmUGswrYzumdbjcTCTzb79jI%2BbJaZmMLI%3D "image(463).png")
Verify Your OIDC SSO Configuration
When you turn on the Active toggle button on the Single Sign-On page, Syniti enables the SSO feature for your users of your organization’s tenant in the SKP. This process does not log out the existing users in the SKP.
You don’t need to create a user account for the test user in the SKP, as your organization’s IdP controls and manages the access required for your users in the SKP. The SKP validates the email address used for signing-in in its database and lets you sign in to the SKP. If the entered email address is new, then a new user is assigned to the Default User Group created in the SKP.
Note
By default, only the Viewer user group is assigned to the Default User Group for new tenants. Edit the user group to update the Default User Group assignment. If no user groups are set as a Default User Group, users will not be granted access to the SKP.
Complete the following steps to verify the OIDC SSO configuration:
Open a new incognito or private window in your browser.
Log into the SKP using the email address of the temporary user account. The IdP-initiated sign-on page is displayed.
Complete the login process and confirm you are signed in.
If you experience a login error, refer to Troubleshoot Your OIDC SSO Configuration to troubleshoot your SSO configuration and test again in an incognito window.
Next Steps
Now that you have configured and verified your OIDC SSO configuration, you can proceed with identifying or adding the required users with appropriate roles in your IdP’s directory.
After identifying or adding the required users to your IdP’s directory, you must invite or assign them to the newly created application for the SKP.