Generic OIDC SSO
Configure Single Sign-On with any OpenID Connect compliant identity provider.Overview
NeuralTrust supports authentication with any OIDC-compliant identity provider, giving you flexibility to use your existing identity infrastructure. Compatible providers include:- Okta
- Auth0
- Google Workspace
- PingIdentity
- OneLogin
- Keycloak
- Any OIDC 1.0 compliant provider
Prerequisites
Before configuring Generic OIDC SSO, ensure you have:- NeuralTrust Account: Owner role in your team
- OIDC Provider: Administrator access to create applications
- Discovery Endpoint: Your provider must support OIDC Discovery (
.well-known/openid-configuration)
Important: One SSO Provider at a Time
Configuration Fields
Setup Steps
Step 1: Create an Application in Your Identity Provider
- Log in to your identity provider’s admin console
- Create a new Web Application or OIDC Application
- Configure the following settings:
Redirect URI
Register the exact callback URL shown in the in-app setup guide. The path is always/api/auth/callback/oidc; the origin depends on your environment:
The in-app setup guide shows the dynamic callback URL based on the current origin.
Step 2: Copy Credentials
From your identity provider, copy:- Issuer URL (or Discovery URL without
/.well-known/openid-configuration) - Client ID
- Client Secret
Step 3: Configure in NeuralTrust
- Navigate to Team Settings → SSO → tab Generic OIDC
- URL pattern:
https://app.neuraltrust.ai/{locale}/{teamId}/settings/sso
- URL pattern:
- Click Edit to enable editing mode
- In the Generic OIDC Configuration section, enter your credentials:
- Issuer URL: Paste your issuer URL
- Click Validate to verify the OIDC discovery endpoint
- Client ID: Paste your client ID
- Client Secret: Paste your client secret
- Display Name: (Optional) Custom button text
- Scopes: (Optional) Additional scopes if needed
- Optionally configure Trust Identity Provider, Role Mapping from IdP, and Session Policy
- Click Save
Step 4: Verify Email Domains
After configuring OIDC:- Scroll down to the Email Domains section (shared across SSO providers)
- Add your corporate email domain(s)
- Complete DNS verification (see Email Domain Verification below)
Trust Identity Provider
UI label: Trust Identity ProviderDefault: disabled When Trust Identity Provider is enabled:
- Any user successfully authenticated by your OIDC IdP can join the team without DNS verification of their email domain.
- New users are provisioned on first SSO login (subject to normal team access rules).
- New users must either already be team members or belong to a verified email domain configured under Email Domains.
Role Mapping from IdP
UI label: Role Mapping from IdPDefault: disabled Automatically assign Admin or Member team roles during OIDC login based on token claims.
Setup Steps
- Enable Role Mapping from IdP.
- Set Role Claim Name to the exact claim key from your IdP token.
- Add Role Mappings: IdP claim value → NeuralTrust role (
AdminorMember). - Set Default Role for users whose claim is missing or has no matching mapping.
How Mapping Works
Example: Multi-Value Group Claim
nt-members).
If the array also contains nt-admins, result is Admin (Admin wins over Member).
Example: Scalar Role Claim
{ "role": "admin-user" } → Admin.
Role mapping for Generic OIDC uses token claims. Microsoft Entra ID uses a separate Azure AD Group Sync mechanism on the Entra tab—not claim mapping. Do not conflate the two.
Federated Role Policy (OIDC Only)
Two optional toggles appear when Role Mapping from IdP is enabled. Both default to off. They apply only to Generic OIDC, not Entra ID.Require IdP Role Match
When enabled:- Login is denied if no value in the configured claim maps to a NeuralTrust role.
- The user is not created in the team for that login attempt.
- Redirect:
/login?error=insufficient_role - User-facing message: Access denied: your account does not have a role assigned for this team. Contact your administrator.
- Role Mapping from IdP must be on
- Role Claim Name must be set
- At least one role mapping must be configured
Sync Team Role from IdP on Login
When enabled:- The user’s NeuralTrust team role is updated on every OIDC login to reflect their current IdP role mapping.
- Promotions and demotions in the IdP take effect on the next login.
- The last administrator of a team (sole Admin or Owner) is never automatically downgraded. Their role is preserved silently on login.
- Existing team members keep their current role on subsequent logins; mapping applies only when the user first joins the team.
Behavior Matrix
Session Policy
UI label: Session PolicyDefault: Align with IdP
id_token.exp (recommended)
Controls how long the NeuralTrust application session lasts relative to the IdP.
When Fixed is selected:
- Configure Fixed session cap in minutes.
- Allowed range: 5 minutes to 30 days.
- If left empty, default cap is 24 hours (1440 minutes).
- A minimum floor of 60 seconds is always applied to avoid immediately expired sessions (clock skew protection).
Session Policy is available for both Generic OIDC and Microsoft Entra ID (same UI component).
Email Domain Verification
Verify ownership of your email domains to enable secure user auto-discovery.Why Domain Verification?
Domain verification prevents malicious actors from claiming email domains they don’t own:- ✅ Only domain owners can use the domain for SSO
- ✅ Users with verified domains can auto-discover their team
- ✅ Compliance requirements are met
Setup Steps
Step 1: Add Your Domain- Scroll to the Email Domains section (appears after SSO is configured)
- Enter your domain (e.g.,
yourcompany.com) - Click Add
DNS Provider Examples:
Step 3: Verify
- Wait 5-15 minutes for DNS propagation (can take up to 48 hours)
- Click the Verify button next to your domain
- If successful: Status changes to Verified ✓
Verification Status
If Trust Identity Provider is enabled, new users authenticated by the IdP can join without a verified domain. If Trust IdP is disabled, new users need a verified domain or an existing team membership.
Break Glass Users
Configure emergency password access before enforcing SSO.- On the Generic OIDC tab, scroll below the OIDC credentials form to find Break the Glass Users (below SSO Enforcement)
- Add up to 10 administrator emails who can log in with password during emergencies
- Click Save
Break-glass lists are per provider. Because only one SSO provider can be active at a time, you configure break-glass users for whichever provider is currently enabled. See Break the Glass for full details.
Enable SSO Enforcement
When ready to require SSO for all users:- On the Generic OIDC tab, enable the Enforce SSO toggle (below the credentials form)
- Confirm the warning about password login being disabled
- Users will now be required to authenticate via your OIDC provider
Provider-Specific Guides
Okta
Okta
- Go to Applications → Create App Integration
- Select OIDC - OpenID Connect and Web Application
- Configure:
- Sign-in redirect URI: Use the callback URL from the in-app setup guide (production:
https://app.neuraltrust.ai/api/auth/callback/oidc) - Assignments: Assign users/groups who should access NeuralTrust
- Sign-in redirect URI: Use the callback URL from the in-app setup guide (production:
- Copy Client ID and Client Secret from the application settings
- Your Issuer URL is:
https://your-org.okta.com
Auth0
Auth0
- Go to Applications → Create Application
- Select Regular Web Applications
- In Settings:
- Allowed Callback URLs: Use the callback URL from the in-app setup guide (production:
https://app.neuraltrust.ai/api/auth/callback/oidc)
- Allowed Callback URLs: Use the callback URL from the in-app setup guide (production:
- Copy Domain (this is your Issuer URL with
https://), Client ID, and Client Secret
Google Workspace
Google Workspace
- Go to Google Cloud Console → APIs & Services → Credentials
- Create OAuth 2.0 Client ID (Web application)
- Add Authorized redirect URI: Use the callback URL from the in-app setup guide (production:
https://app.neuraltrust.ai/api/auth/callback/oidc) - Copy Client ID and Client Secret
- Issuer URL:
https://accounts.google.com
Keycloak
Keycloak
- Go to your Keycloak admin console
- Create a new Client with:
- Client type: OpenID Connect
- Valid redirect URIs: Use the callback URL from the in-app setup guide (production:
https://app.neuraltrust.ai/api/auth/callback/oidc)
- Copy Client ID from General Settings
- Go to Credentials tab and copy Client Secret
- Issuer URL:
https://your-keycloak-domain/realms/your-realm
Troubleshooting
Related Documentation
- Microsoft Entra ID SSO — SSO with Microsoft corporate credentials and Azure AD group sync
- Break the Glass — Emergency access configuration
- Audit Logs — Monitor SSO-related security events
- SCIM Provisioning — Automated user provisioning (separate from OIDC SSO)