Configure OpenID Connect (OIDC) SSO

This guide will teach you how to configure single sign-on access via OpenID Connect (OIDC) in your Formant organization.

πŸ“˜

This feature is available with our Enterprise plan.

Prerequisites

Set up an OIDC identity provider

Before using OIDC SSO in Formant, you'll need to set up an OIDC provider for your organization. You'll need to enter the provider's URL, and generate a Client ID to allow Formant to authenticate via OIDC.

(Optional) Create OIDC groups, Formant teams, and Formant roles

You can manage various groups of users and their permissions within your OIDC authentication structure. When users sign into your Formant organization using OIDC SSO, their email address will be checked for membership in a group. If the address is found, the user is assigned the set of permissions and access levels associated with that group.

Formant has an equivalent concept, which is accomplished using roles and teams. A role is a set of permissions and access levels granted to a single user. A team is a named set of users who all have the same role.

When users sign into Formant via OIDC SSO for the first time, if they are part of an OIDC group, Formant will check for an equivalent team. If the group does not have a corresponding team, the user will be assigned a default role.

πŸ“˜

To learn more about creating roles and teams in Formant, see Users, service accounts, and teams and Configure access levels.

Step 1: Navigate to OIDC SSO settings

  1. In Formant, in the upper-left corner, open the menu and click Settings.
  2. Click Users. At the top of the page, click SSO Settings....
  3. Click the OIDC tab.

Step 2: Configure OIDC SSO

Identity provider information

PropertyUsage
OIDCEnable OIDC to allow new users to join your organization and sign in using OIDC.
AuthorityEnter the URL of your OIDC identity provider.
Client IDEnter the Client ID provided to you by your identity provider during registration.

Mapping OIDC groups to Formant roles and teams

PropertyUsage
DomainThis field will be auto-populated from the email address with which you are currently logged into Formant. Users with an email address on this domain will be able to sign in via SSO. For example, if your email is [email protected], the domain you can enable for OIDC SSO will be xyz.com. You can only configure one domain for OIDC SSO for your Formant organization.
Default accessChoose the default access level for new users from a list of existing roles and teams in your Formant organization. If the user does not belong to a team as designated in Customize Access, that user will be assigned the role, or to the team, you designate here.
Customize accessOn the left side, enter the name of your OIDC group as it's configured with your identity provider.

On the right side, select the Team in your Formant organization which corresponds to that group.

When logging in, a user associated with the OIDC group name will be assigned to the corresponding Team in your Formant organization. See the Prerequisites section for more details.

Click Done, and then Save to confirm your settings.

Step 3: Log in via OIDC SSO

Users with an email address that matches the domain specified in Step 2 should now be able to log into Formant using OIDC SSO.

πŸ“˜

If you notice an issue with this page or need help, please reach out to us! Use the 'Did this page help you?' buttons below, or get in contact with our Customer Success team via the Intercom messenger in the bottom-right corner of this page, or at [email protected].