Skip to main content

Generic OIDC SSO

Configure Single Sign-On with any OpenID Connect compliant identity provider.

Overview

NeuralTrust supports authentication with any OIDC-compliant identity provider, giving you flexibility to use your existing identity infrastructure. Compatible providers include:
  • Okta
  • Auth0
  • Google Workspace
  • PingIdentity
  • OneLogin
  • Keycloak
  • Any OIDC 1.0 compliant provider

Prerequisites

Before configuring Generic OIDC SSO, ensure you have:
  • NeuralTrust Account: Owner role in your team
  • OIDC Provider: Administrator access to create applications
  • Discovery Endpoint: Your provider must support OIDC Discovery (.well-known/openid-configuration)

Important: One SSO Provider at a Time

Only Microsoft Entra ID or Generic OIDC can be configured at a time—not both. To switch providers, delete the current provider’s configuration first.

Configuration Fields


Setup Steps

Step 1: Create an Application in Your Identity Provider

  1. Log in to your identity provider’s admin console
  2. Create a new Web Application or OIDC Application
  3. Configure the following settings:

Redirect URI

Register the exact callback URL shown in the in-app setup guide. The path is always /api/auth/callback/oidc; the origin depends on your environment: The in-app setup guide shows the dynamic callback URL based on the current origin.

Step 2: Copy Credentials

From your identity provider, copy:
  • Issuer URL (or Discovery URL without /.well-known/openid-configuration)
  • Client ID
  • Client Secret

Step 3: Configure in NeuralTrust

  1. Navigate to Team SettingsSSO → tab Generic OIDC
    • URL pattern: https://app.neuraltrust.ai/{locale}/{teamId}/settings/sso
  2. Click Edit to enable editing mode
  3. In the Generic OIDC Configuration section, enter your credentials:
    • Issuer URL: Paste your issuer URL
    • Click Validate to verify the OIDC discovery endpoint
    • Client ID: Paste your client ID
    • Client Secret: Paste your client secret
    • Display Name: (Optional) Custom button text
    • Scopes: (Optional) Additional scopes if needed
  4. Optionally configure Trust Identity Provider, Role Mapping from IdP, and Session Policy
  5. Click Save

Step 4: Verify Email Domains

After configuring OIDC:
  1. Scroll down to the Email Domains section (shared across SSO providers)
  2. Add your corporate email domain(s)
  3. Complete DNS verification (see Email Domain Verification below)

Trust Identity Provider

UI label: Trust Identity Provider
Default: disabled
When Trust Identity Provider is enabled:
  • Any user successfully authenticated by your OIDC IdP can join the team without DNS verification of their email domain.
  • New users are provisioned on first SSO login (subject to normal team access rules).
When disabled (default):
  • New users must either already be team members or belong to a verified email domain configured under Email Domains.
Only enable Trust Identity Provider if you fully trust the IdP to authenticate authorized users only. This bypasses domain ownership verification for user provisioning.
Interaction with Email Domains: Domain verification still matters for team discovery and security when Trust IdP is off. With Trust IdP on, unverified domains do not block IdP-authenticated users from joining.

Role Mapping from IdP

UI label: Role Mapping from IdP
Default: disabled
Automatically assign Admin or Member team roles during OIDC login based on token claims.

Setup Steps

  1. Enable Role Mapping from IdP.
  2. Set Role Claim Name to the exact claim key from your IdP token.
  3. Add Role Mappings: IdP claim value → NeuralTrust role (Admin or Member).
  4. Set Default Role for users whose claim is missing or has no matching mapping.

How Mapping Works

Example: Multi-Value Group Claim

User token:
Result: Member (matched nt-members). If the array also contains nt-admins, result is Admin (Admin wins over Member).

Example: Scalar Role Claim

Token { "role": "admin-user" }Admin.
Role mapping for Generic OIDC uses token claims. Microsoft Entra ID uses a separate Azure AD Group Sync mechanism on the Entra tab—not claim mapping. Do not conflate the two.

Federated Role Policy (OIDC Only)

Two optional toggles appear when Role Mapping from IdP is enabled. Both default to off. They apply only to Generic OIDC, not Entra ID.

Require IdP Role Match

When enabled:
  • Login is denied if no value in the configured claim maps to a NeuralTrust role.
  • The user is not created in the team for that login attempt.
  • Redirect: /login?error=insufficient_role
  • User-facing message: Access denied: your account does not have a role assigned for this team. Contact your administrator.
Requirements before enabling:
  • Role Mapping from IdP must be on
  • Role Claim Name must be set
  • At least one role mapping must be configured
Test mappings thoroughly before enabling. Any authenticated user without a mapped claim value will be blocked—even if a Default Role is configured. Default Role does not bypass this gate; the claim must contain at least one mapped value.

Sync Team Role from IdP on Login

When enabled:
  • The user’s NeuralTrust team role is updated on every OIDC login to reflect their current IdP role mapping.
  • Promotions and demotions in the IdP take effect on the next login.
Safeguard:
  • The last administrator of a team (sole Admin or Owner) is never automatically downgraded. Their role is preserved silently on login.
When disabled (default):
  • Existing team members keep their current role on subsequent logins; mapping applies only when the user first joins the team.

Behavior Matrix


Session Policy

UI label: Session Policy
Default: Align with IdP id_token.exp (recommended)
Controls how long the NeuralTrust application session lasts relative to the IdP. When Fixed is selected:
  • Configure Fixed session cap in minutes.
  • Allowed range: 5 minutes to 30 days.
  • If left empty, default cap is 24 hours (1440 minutes).
  • A minimum floor of 60 seconds is always applied to avoid immediately expired sessions (clock skew protection).
Session Policy is available for both Generic OIDC and Microsoft Entra ID (same UI component).

Email Domain Verification

Verify ownership of your email domains to enable secure user auto-discovery.

Why Domain Verification?

Domain verification prevents malicious actors from claiming email domains they don’t own:
  • ✅ Only domain owners can use the domain for SSO
  • ✅ Users with verified domains can auto-discover their team
  • ✅ Compliance requirements are met

Setup Steps

Step 1: Add Your Domain
  1. Scroll to the Email Domains section (appears after SSO is configured)
  2. Enter your domain (e.g., yourcompany.com)
  3. Click Add
Step 2: Configure DNS A verification token will be displayed. Add a TXT record to your DNS: DNS Provider Examples: Step 3: Verify
  1. Wait 5-15 minutes for DNS propagation (can take up to 48 hours)
  2. Click the Verify button next to your domain
  3. If successful: Status changes to Verified

Verification Status

If Trust Identity Provider is enabled, new users authenticated by the IdP can join without a verified domain. If Trust IdP is disabled, new users need a verified domain or an existing team membership.

Break Glass Users

Configure emergency password access before enforcing SSO.
  1. On the Generic OIDC tab, scroll below the OIDC credentials form to find Break the Glass Users (below SSO Enforcement)
  2. Add up to 10 administrator emails who can log in with password during emergencies
  3. Click Save
Break-glass lists are per provider. Because only one SSO provider can be active at a time, you configure break-glass users for whichever provider is currently enabled. See Break the Glass for full details.
Requirements: Users must already exist in NeuralTrust, have a password set, and be team members.

Enable SSO Enforcement

When ready to require SSO for all users:
  1. On the Generic OIDC tab, enable the Enforce SSO toggle (below the credentials form)
  2. Confirm the warning about password login being disabled
  3. Users will now be required to authenticate via your OIDC provider
Before enabling SSO Enforcement, ensure you have configured Break Glass Users to prevent being locked out during identity provider outages.

Provider-Specific Guides

  1. Go to ApplicationsCreate App Integration
  2. Select OIDC - OpenID Connect and Web Application
  3. Configure:
    • Sign-in redirect URI: Use the callback URL from the in-app setup guide (production: https://app.neuraltrust.ai/api/auth/callback/oidc)
    • Assignments: Assign users/groups who should access NeuralTrust
  4. Copy Client ID and Client Secret from the application settings
  5. Your Issuer URL is: https://your-org.okta.com
  1. Go to ApplicationsCreate Application
  2. Select Regular Web Applications
  3. In Settings:
    • Allowed Callback URLs: Use the callback URL from the in-app setup guide (production: https://app.neuraltrust.ai/api/auth/callback/oidc)
  4. Copy Domain (this is your Issuer URL with https://), Client ID, and Client Secret
  1. Go to Google Cloud ConsoleAPIs & ServicesCredentials
  2. Create OAuth 2.0 Client ID (Web application)
  3. Add Authorized redirect URI: Use the callback URL from the in-app setup guide (production: https://app.neuraltrust.ai/api/auth/callback/oidc)
  4. Copy Client ID and Client Secret
  5. Issuer URL: https://accounts.google.com
  1. Go to your Keycloak admin console
  2. Create a new Client with:
    • Client type: OpenID Connect
    • Valid redirect URIs: Use the callback URL from the in-app setup guide (production: https://app.neuraltrust.ai/api/auth/callback/oidc)
  3. Copy Client ID from General Settings
  4. Go to Credentials tab and copy Client Secret
  5. Issuer URL: https://your-keycloak-domain/realms/your-realm

Troubleshooting