OIDC / SSO — sign-in via an identity provider
PremiumOpenID Connect (OIDC), built on OAuth2, lets your users sign in to Omniscol with their organization account rather than with a dedicated Omniscol password. Three benefits: a single password to remember, centralized deactivation when someone joins or leaves, and automatic enforcement of the security policy (MFA, password length, expiry…) managed on the IT side.
This page describes user SSO: people signing in to Omniscol through your identity provider. The opposite case — Omniscol as an OAuth2 / OIDC server that third-party services connect to, with its client management screen — is covered on OAuth2 / OIDC (provider).
Supported providers
Omniscol supports:
- Google Workspace,
- Microsoft Entra ID (formerly Azure AD),
- Keycloak,
- a generic OIDC provider via its issuer / discovery URL (any OIDC-compliant provider).
Configuring on the Omniscol side
In Administration → Settings, in the Security section, the Configure button opens the OIDC configuration screen, where you declare the provider:
- Display name — the label shown on the sign-in button
(for example
Continue with Google). - Provider type — Google, Microsoft Entra ID (Azure AD), Keycloak or generic OIDC.
- Tenant / issuer — the Microsoft tenant for Entra ID, or the issuer URL for Keycloak and generic OIDC providers. The OIDC metadata is then discovered by the application.
- Client ID and Client secret — obtained by creating an application on the provider side (see the provider's documentation).
- Scopes —
openid profile emailby default. Add provider-specific scopes if needed. - Authorized domains — an optional list of email domains accepted at SSO sign-in; when left empty, no domain filtering is applied.
- Redirect URL — Omniscol gives you the exact value to copy into the provider-side configuration (along with the post-logout redirect URL if the provider requires it).
- SSO-only login — once SSO is validated, this option refuses Omniscol password sign-in, except for the break-glass accounts described below.
The current SSO configuration is defined at the school account level.
Break-glass access
In SSO-only login mode, Omniscol password sign-in is refused: everyone goes through the identity provider. If that provider becomes unavailable — outage, expired secret, configuration error — access to Omniscol would be blocked for everyone.
The break-glass account is the safeguard against this lock-out: an administrator account allowed to sign in with an Omniscol password even while exclusive SSO mode is active.
- In the account record of an administrator, when the SSO-only login option is active, a Break-glass (SSO only) checkbox appears. Ticking it allows this account to sign in with a password if the identity provider is unavailable. Only administrator accounts can be designated.
- Omniscol support also keeps its own independent emergency access.
Designate at least one break-glass account before enabling exclusive SSO mode, and keep its password in a safe place: it is your safety net if the identity provider goes down.
Configuring on the provider side (examples)
Google Workspace
- Google Cloud console > APIs & Services > Credentials.
- Create an OAuth 2.0 credential, type Web application.
- Paste the redirect URL provided by Omniscol into Authorized redirect URIs.
- Retrieve the Client ID and Client secret and paste them into Omniscol.
Microsoft Entra ID
- Azure portal > Entra ID > App registrations.
- New registration, type Web, Omniscol redirect URL.
- Certificates & secrets > create a client secret.
- API permissions > add
openid,profile,email. - Retrieve the Application (client) ID and the secret.
Keycloak
- Realm > Clients > Create client, type OpenID Connect.
- Valid redirect URIs: the URL provided by Omniscol.
- Credentials > retrieve the client secret.
Linking to Omniscol accounts
When a user clicks the SSO button, Omniscol:
- Redirects them to the provider,
- Retrieves their email address after authentication,
- Looks for an Omniscol account with the same email address.
If the account exists and is active, the user is signed in. Otherwise, access is denied. Consequence: for SSO to work, users must exist in Omniscol with the right email address — creation is not automatic on the Omniscol side by default.
Automatic account provisioning
Automatic account creation at the first SSO sign-in
(just-in-time provisioning) is not the default behavior of
the configuration screen. If this mode is needed, it must be scoped
with Omniscol.
How-to
Configure an OIDC / SSO provider
-
OIDC / SSO lets your users sign in with their organization account (Google Workspace, Microsoft Entra ID, Keycloak, Okta…). The provider-side part depends on the provider.
-
On the provider side, first create a Web application OIDC application: retrieve the Client ID and the Client secret, and copy the redirect URL provided by Omniscol into the provider's Authorized redirect URIs.
-
On the Omniscol side, open the settings then the OIDC configuration. Fill in the display name (the sign-in button label), the provider type, the issuer or tenant as applicable, the Client ID, the Client secret and the scopes (default:
openid profile email). -
Click Test. Check that the configuration works. Omniscol performs an OIDC round trip; on a discovery, secret or redirect error, the error message is explicit.
-
Save. The SSO sign-in button appears on the login page when the configuration is active.
-
Important: accounts must exist in Omniscol with the right email address. SSO sign-in matches by email; no automatic provisioning by default.