OpenID Connect (OIDC) SSO Integration Guide

OpenID Connect (OIDC) SSO Integration Guide

This guide provides a general overview and step-by-step instructions for configuring OpenID Connect (OIDC) authentication between Multi-Pass (IdP) and a third-party Service Provider (SP).
OIDC is a modern identity layer built on top of OAuth 2.0 that enables SPs to verify end-user identities via an external identity provider. This configuration allows for secure, federated login using standard protocols.
Make sure you have the following:
  1. Admin access to a Multi-Pass Dashboard
  2. Identified your deployment's tenant (we will refer to it as <TENANT_NAME>)
  3. Administrative access to your application (SP)



Configure the Service Provider (SP)




Your application acts as the Service Provider. Start by creating a new OIDC profile using the following information from Multi-Pass:

What Each Field Means

Discovery Endpoint URL

Provides metadata about the IdP including:
  1. Authorization, token, and userinfo endpoints
  2. Supported scopes, grant types, and public keys

Authorization URL

Redirects users to Multi-Pass for login and consent

User Info URL

Used to retrieve authenticated user profile data like:
  1. sub
  2. email
  3. preferred_username

Token URL

Used to exchange the authorization code for:
  1. id_token
  2. access_token
  3. (optionally) refresh_token

End Session URL

Used to terminate the user's session on the IdP side.


Configure Multi-Pass (IdP)



Multi-Pass offers two interfaces:
  1. The Advanced Console (Legacy)
  2. The Dashboard Interface (Recommended)
You’ll need the following from your Service Provider (SP):
  1. Redirect URI (e.g., https://yourapp.com/callback)

Steps to follow

  1. Log in to Multi-Pass Dashboard
  2. Navigate to your tenant
  3. Click on Advanced Console
  4. Click on Clients, then Create Client
  5. Choose OIDC as the client type
  6. Provide a Client Name, Redirect URI, and enable Client Authentication
Once the client is created, you'll receive:
  1. Client ID
  2. Client Secret


Understanding the OIDC Response




During the OIDC flow, you’ll interact with the following key parameters:
ParameterDescription
response_typeUsually code for Authorization Code Flow
state(Optional) Used to prevent CSRF attacks
nonceRecommended to protect against replay attacks

Flow Summary:

  1. Redirect the user to the authorization endpoint.
  2. Receive the authorization code via redirect URI.
  3. Exchange the code at the token endpoint for:
    1. access_token
    2. id_token
    3. (optional) refresh_token

    • Related Articles

    • ATERA - SSO configuration

      This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...

    • Drupal - SSO configuration

      Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...

    • Mendix - SSO Configuration

      This document has been tested and approved by Kelvin Zero Inc This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Mendix using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...

    • Outsystems (Apps) - SSO Configuration

      This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...

    • N-Central (N-Able) - SSO configuration

      This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...