Skip to main content

Celonis Product Documentation

OpenID Connect (OIDC)

OpenID Connect should best be used in combination withLDAP

  • What is OpenID Connect?

  • Allow bypassing SSO

What is OpenID Connect?

OpenId Connect is built on the process flows of OAuth 2.0 and typically uses the JWT (JSON Web token) format for the id-token.

In OpenID Connect, the user is redirected from the Relying Party (RP) to the OpenID Provider (OP) or sign-in.

OpenID Connect uses the backchannel communication rom server to API instead of passing responses through the browser like SAML.


How to set up OpenID Connect SSO with Celonis EMS


Prerequisites: Client ID, Client Secret & provider discovery URL

The “Authorized Redirect URI” for Celonis EMS is: https://[customerdomain].[realm] → e.g.

  1. Go toTeam-Settings > Single Sign-On/

  2. Click “Add SSO Provider” & choose “OIDC”.

  3. Set a namef or the connection.

  4. Set the client ID.

  5. Set the client secret.

  6. Set the provider discovery URL.


    The provider discovery URL is web address that is used to authenticate the client ID and client secret as specified in steps 4 and 5.

  7. Click Save.

Allow bypassing SSO

For some periods of time, it may become necessary to open the team to third parties who are not listed inside the Identity Provider or where it would take too long to list them there. For implementation projects, where external people work on the team, this can be the case.

For these cases, the OICD setup offers the possibility to allow logins via the usual <team>.<cluster> route. This route allows logins to the team to anyone who is a member of the team and has set a password (user accounts created via LDAP sync do not have a password).

To enable, set the checkbox “Allow bypassing via IBC login form” and save.

To disable, unset the checkbox “Allow bypassing via IBC login form” and save.


In case that the SSO connection breaks and you are "locked out" of your team, Celonis can help you.