Skip to main content

Generic OIDC SSO

Configure Single Sign-On with any OpenID Connect compliant identity provider.

Overview

NeuralTrust supports authentication with any OIDC-compliant identity provider, giving you flexibility to use your existing identity infrastructure. Compatible providers include:
  • Okta
  • Auth0
  • Google Workspace
  • PingIdentity
  • OneLogin
  • Keycloak
  • Any OIDC 1.0 compliant provider

Prerequisites

Before configuring Generic OIDC SSO, ensure you have:
  • NeuralTrust Account: Owner role in your team
  • OIDC Provider: Administrator access to create applications
  • Discovery Endpoint: Your provider must support OIDC Discovery (.well-known/openid-configuration)

Configuration Fields

FieldRequiredDescription
Issuer URLYesThe base URL of your OIDC provider (e.g., https://your-tenant.okta.com)
Client IDYesThe application/client ID from your identity provider
Client SecretYesThe client secret (stored encrypted)
Display NameNoCustom name shown on the login button (e.g., “Sign in with Okta”)
ScopesNoOAuth scopes to request (default: openid profile email)

Setup Steps

Step 1: Create an Application in Your Identity Provider

  1. Log in to your identity provider’s admin console
  2. Create a new Web Application or OIDC Application
  3. Configure the following settings:
SettingValue
Sign-in redirect URIhttps://app.neuraltrust.ai/api/auth/callback/oidc
Sign-out redirect URIhttps://app.neuraltrust.ai (optional)
Grant typesAuthorization Code
Scopesopenid, profile, email

Step 2: Copy Credentials

From your identity provider, copy:
  • Issuer URL (or Discovery URL without /.well-known/openid-configuration)
  • Client ID
  • Client Secret

Step 3: Configure in NeuralTrust

  1. Navigate to SettingsSSO
  2. Click the Generic OIDC tab
  3. Click Edit to enable editing mode
  4. Enter your credentials:
    • Issuer URL: Paste your issuer URL
    • Click Validate to verify the OIDC discovery endpoint
    • Client ID: Paste your client ID
    • Client Secret: Paste your client secret
    • Display Name: (Optional) Custom button text
    • Scopes: (Optional) Additional scopes if needed
  5. Click Save

Step 4: Verify Email Domains

After configuring OIDC:
  1. Scroll down to Email Domains section
  2. Add your corporate email domain(s)
  3. Complete DNS verification (see Email Domain Verification below)
Before enforcing SSO:
  1. In the Generic OIDC tab, find the Break Glass Users section
  2. Add 1-3 administrator emails who can log in with password during emergencies
  3. Click Save
Break Glass Users are configured per SSO provider. If you have both Microsoft Entra ID and Generic OIDC, each has its own Break Glass configuration.

Step 6: Enable SSO Enforcement (Optional)

When ready to require SSO for all users:
  1. Enable the Enforce SSO toggle
  2. Confirm the warning about password login being disabled
  3. Users will now be required to authenticate via your OIDC provider
Before enabling SSO Enforcement, ensure you have configured Break Glass Users to prevent being locked out during identity provider outages.

Email Domain Verification

Verify ownership of your email domains to enable secure user auto-discovery.

Why Domain Verification?

Domain verification prevents malicious actors from claiming email domains they don’t own:
  • ✅ Only domain owners can use the domain for SSO
  • ✅ Users with verified domains can auto-discover their team
  • ✅ Compliance requirements are met

Setup Steps

Step 1: Add Your Domain
  1. Scroll to the Email Domains section (appears after SSO is configured)
  2. Enter your domain (e.g., yourcompany.com)
  3. Click Add
Step 2: Configure DNS A verification token will be displayed. Add a TXT record to your DNS:
TypeHost/NameValue
TXT@neuraltrust-verify-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
DNS Provider Examples:
ProviderSteps
CloudflareDNS → Add record → TXT → Name: @ → Content: token
GoDaddyDNS Management → Add → TXT → Host: @ → TXT Value: token
AWS Route53Create record → TXT → Record name: (empty) → Value: token
Google DomainsDNS → Custom records → TXT → Host: (empty) → Data: token
Step 3: Verify
  1. Wait 5-15 minutes for DNS propagation (can take up to 48 hours)
  2. Click the Verify button next to your domain
  3. If successful: Status changes to Verified

Verification Status

StatusMeaningAction
PendingAwaiting DNS verificationAdd TXT record and click Verify
VerifiedDomain ownership confirmedDomain is active for SSO
FailedVerification unsuccessfulCheck DNS record and retry

Provider-Specific Guides

  1. Go to ApplicationsCreate App Integration
  2. Select OIDC - OpenID Connect and Web Application
  3. Configure:
    • Sign-in redirect URI: https://app.neuraltrust.ai/api/auth/callback/oidc
    • Assignments: Assign users/groups who should access NeuralTrust
  4. Copy Client ID and Client Secret from the application settings
  5. Your Issuer URL is: https://your-org.okta.com
  1. Go to ApplicationsCreate Application
  2. Select Regular Web Applications
  3. In Settings:
    • Allowed Callback URLs: https://app.neuraltrust.ai/api/auth/callback/oidc
  4. Copy Domain (this is your Issuer URL with https://), Client ID, and Client Secret
  1. Go to Google Cloud ConsoleAPIs & ServicesCredentials
  2. Create OAuth 2.0 Client ID (Web application)
  3. Add Authorized redirect URI: https://app.neuraltrust.ai/api/auth/callback/oidc
  4. Copy Client ID and Client Secret
  5. Issuer URL: https://accounts.google.com
  1. Go to your Keycloak admin console
  2. Create a new Client with:
    • Client type: OpenID Connect
    • Valid redirect URIs: https://app.neuraltrust.ai/api/auth/callback/oidc
  3. Copy Client ID from General Settings
  4. Go to Credentials tab and copy Client Secret
  5. Issuer URL: https://your-keycloak-domain/realms/your-realm

Troubleshooting

ErrorSolution
Invalid issuerVerify the Issuer URL is correct and supports OIDC Discovery
Client authentication failedCheck Client ID and Client Secret are correct
Redirect URI mismatchEnsure https://app.neuraltrust.ai/api/auth/callback/oidc is registered
User not authorizedVerify the user’s email domain is verified in NeuralTrust
Discovery endpoint not foundAdd /.well-known/openid-configuration to verify your issuer URL supports discovery