Vendor OpenID Configuration


Configuring Custom Domains (Before Your OpenID Configuration)

We strongly encourage you to configure your custom domain before configuring your OpenID connection, as it may require some downtime to change it retroactively after configuring your OpenID connection. Custom Domains are beneficial for a number of reasons, like avoiding cookie issues and enhancing your brand. Learn more about Custom Domains.

If you opt not to configure a custom domain, use your frontegg subdomain followed by /auth/oidc/callback as your ACS URL.

Configuring OpenID in Your Frontegg Portal

Go to Environments ➜ [NAME OF ENVIRONMENT] ➜ Authentication ➜ SSO ➜ Service Provider ➜ Authentication protocols.


SSO/OpenID Enablement

If you do not see SSO ➜ OpenID in the sidebar, make sure it is enabled and published to the environment.

After clicking the OpenID Manage button, insert your redirect URL and save the changes. If you are using the Hosted login method, the Redirect URL should be https://[your-frontegg-domain]

If you are using the Embedded Login method, the Redirect URL should be [your-application-url]/account/oidc/callback, for example: http://localhost:3000/account/oidc/callback.

Allow your customers to apply the connection or apply it for them

After configuring OIDC in the Frontegg Portal, you can allow your end users either to apply the SSO connection via the Self-service or apply the connection details from their IDP on their behalf, via the Backoffice ➜ Accounts ➜ Account ➜ Actions SSO ➜ Configurations.

Enable SSO Tab in the Admin portal

For enabling the SSO tab in the Self-Service for your end users:


Admin portal integration

Make sure that you have integrated the Admin portal into your application as described in (doc:react-self-service).

After the SSO tab is enabled, your customers can follow the instructions for adding the details of the connection from the IDP - here.

For OpenID there is no option to map roles to groups from the Self-Service UI (Admin portal). It can be applied only via APIs or the Backoffice.

Apply the connection from the Environment Backoffice

For applying the SSO connection on behalf of your customers, you can use the back office or do it by using our APIs.

Additional resources

FAQs related to OpenID Connect SSO

Why does logging in with Azure AD OIDC throw an error?