Skip to main content

Celonis Product Documentation

Configuring OIDC single sign-on

Your users can access your Celonis Platform using an OpenID Connect SSO, assigning each user with an ID token on login.

Prerequisites for OIDC single sign-on

To configure your OIDC SSO, you need the following from your identity provider:

  • ClientID

  • Client secret

  • Provider Discovery URL

You also need the following authorized redirect URL:

https://[customerdomain].[realm].celonis.cloud/api/auth-handler/oidc/callback

Procedure

To configure your OIDC SSO:

  1. Click Admin & Settings - Single Sign-On.

  2. Click OIDC - Configure.

    A screenshot showing where to click the Add SSO provider button.

  3. Enter the required information, including ClientID, Client Secret, Provider Discovery URL, and Scope value.

    When inputting your scope value, we recommend using openID email and openid email profile .

    Optional: You can also allow bypassing via login form.

    A screenshot showing the OIDC general settings user interface.

  4. Click Save.

  5. When prompted, either click Activate or choose to activate your configuration later.

    If activating your OIDC configuration later, return to the Single Sign-On screen and click Activate:

    A screenshot showing the activate button.

    Your OIDC SSO is now active, with all active users at that point being automatically logged out of your and need to re-authenticate to regain access.

Allow bypassing via login form

Enabling this option allows users who are outside of your IdP to still access your team with their email address and password. This feature is beneficial when working on implementation projects or when adding the user to your IdP is time consuming.

OICD4.png