OpenID Connect (OIDC)
OpenID Connect should best be used in combination withLDAP
What is OpenID Connect?
Allow bypassing SSO
What is OpenID Connect?
OpenId Connect is built on the process flows of OAuth 2.0 and typically uses the JWT (JSON Web token) format for the id-token.
In OpenID Connect, the user is redirected from the Relying Party (RP) to the OpenID Provider (OP) or sign-in.
OpenID Connect uses the backchannel communication rom server to API instead of passing responses through the browser like SAML.
![]() |
How to set up OpenID Connect SSO with Celonis EMS
![]() |
Prerequisites: Client ID, Client Secret & provider discovery URL
The “Authorized Redirect URI” for Celonis EMS is: https://[customerdomain].[realm].celonis.cloud/api/auth-handler/oidc/callback → e.g. https://customer1.eu-1.celonis.cloud/api/auth-handler/oidc/callback
Go toTeam-Settings > Single Sign-On/
Click “Add SSO Provider” & choose “OIDC”.
Set a namef or the connection.
Set the client ID.
Set the client secret.
Set the provider discovery URL.
Note
The provider discovery URL is web address that is used to authenticate the client ID and client secret as specified in steps 4 and 5.
Click Save.
Allow bypassing SSO
For some periods of time, it may become necessary to open the team to third parties who are not listed inside the Identity Provider or where it would take too long to list them there. For implementation projects, where external people work on the team, this can be the case.
For these cases, the OICD setup offers the possibility to allow logins via the usual <team>.<cluster>.celonis.cloud/ui/login route. This route allows logins to the team to anyone who is a member of the team and has set a password (user accounts created via LDAP sync do not have a password).
To enable, set the checkbox “Allow bypassing via IBC login form” and save.
To disable, unset the checkbox “Allow bypassing via IBC login form” and save.
Note
In case that the SSO connection breaks and you are "locked out" of your team, Celonis can help you.
![]() |