OpenID Connect (OIDC) SSO Integration Guide

OpenID Connect (OIDC) SSO Integration Guide

This guide provides a general overview and step-by-step instructions for configuring OpenID Connect (OIDC) authentication between Multi-Pass (IdP) and a third-party Service Provider (SP).
OIDC is a modern identity layer built on top of OAuth 2.0 that enables SPs to verify end-user identities via an external identity provider. This configuration allows for secure, federated login using standard protocols.
Make sure you have the following:
  1. Admin access to a Multi-Pass Dashboard
  2. Identified your deployment's tenant (we will refer to it as <TENANT_NAME>)
  3. Administrative access to your application (SP)


Configure the Service Provider (SP)


Your application acts as the Service Provider. Start by creating a new OIDC profile using the following information from Multi-Pass:

What Each Field Means

Discovery Endpoint URL

Provides metadata about the IdP including:
  1. Authorization, token, and userinfo endpoints
  2. Supported scopes, grant types, and public keys

Authorization URL

Redirects users to Multi-Pass for login and consent

User Info URL

Used to retrieve authenticated user profile data like:
  1. sub
  2. email
  3. preferred_username

Token URL

Used to exchange the authorization code for:
  1. id_token
  2. access_token
  3. (optionally) refresh_token

End Session URL

Used to terminate the user's session on the IdP side.

Configure Multi-Pass (IdP)


Multi-Pass offers two interfaces:
  1. The Advanced Console (Legacy)
  2. The Dashboard Interface (Recommended)
You’ll need the following from your Service Provider (SP):
  1. Redirect URI (e.g., https://yourapp.com/callback)

Steps to follow

  1. Log in to Multi-Pass Dashboard
  2. Navigate to your deployment
  3. Click on Advanced Console
  4. Click on Clients, then Create Client
  5. Choose OIDC as the client type
  6. Provide a Client Name, Redirect URI, and enable Client Authentication
Once the client is created, you'll receive:
  1. Client ID
  2. Client Secret

Understanding the OIDC Response


During the OIDC flow, you’ll interact with the following key parameters:
ParameterDescription
response_typeUsually code for Authorization Code Flow
state(Optional) Used to prevent CSRF attacks
nonceRecommended to protect against replay attacks

Flow Summary:

  1. Redirect the user to the authorization endpoint.
  2. Receive the authorization code via redirect URI.
  3. Exchange the code at the token endpoint for:
    1. access_token
    2. id_token
    3. (optional) refresh_token

    • Related Articles

    • Syncro - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Syncro using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Odoo - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Odoo using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Hubspot - SSO Configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HubSpot using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • HaloPSA - SSO configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HaloPSA using MPAS. SSO simplifies user authentication by allowing access to multiple ...

    • Google Workspace - SSO Configuration

      This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Google Workspace and its suite using MPAS. SSO simplifies user authentication by allowing ...