Edit Your OpenID Connect (OIDC) SSO Settings

If your organization uses OpenID Connect (OIDC) as the Identity Provider (IdP) and needs to update the integration settings — such as rotating client secrets, switching discovery endpoints, or modifying authorization/token URLs — you can edit the OIDC configuration by following these steps:

Note:

Only platform administrators or users with appropriate permissions can edit SSO settings.

Prerequisites

Before setting up OIDC-based Single Sign-on (SSO) in Calibo Accelerate, make sure your organization’s identity and access management setup meets the following prerequisites.

  • Have Administrative Access to Your Identity Provider (IdP)

    You must have administrator privileges in your organization’s OIDC-compatible Identity Provider.

    This allows you to:

    • Create a new OIDC client/application for Calibo Accelerate.

    • Retrieve essential credentials such as the Client ID and Client Secret.

    • Configure the Redirect URI and Logout URI provided by Calibo.

    • Access the IdP’s Discovery URL or related metadata endpoints (if supported).

  • Register Calibo Accelerate as an Application in Your IdP

    Before starting configuration in Calibo:

    1. Log in to your IdP’s admin console.

    2. Create a new OIDC application (client).

    3. Select Web Application (if prompted for application type).

    4. Note the following generated values:

    • Client ID (unique identifier for Calibo)

    • Client Secret (used for secure token exchange)

    • Issuer URL (base URL of your IdP tenant, often ending with /oauth2/default)

    When you reach the Redirect URI step in the F24H wizard, you will need to return to your IdP and add the provided URI (for example, https://accelerate-dis.example.com/auth/realms/<TenantID>/broker/oidc/endpoint)

  • Prepare Users in Your Identity Provider

    The users you plan to add in Calibo Accelerate must already exist in your IdP with valid email addresses on the configured domain.

    At least one of these users (typically a real business user or admin) will be used for validating the SSO connection after setup.

    Unlike SAML integrations, OIDC does not require manual attribute mapping in advance.

    However, your IdP should expose the standard OIDC claims — email, given_name, and family_name — through its user profile or token scopes.

  • Define Attribute and Scope Requirements

    Confirm that your IdP application is configured to include the following scopes and claims:

    • Scopes: openid, email, profile (minimum required).

    • Claims:

      • email – used as the Calibo login identifier.

      • given_name and family_name – populate user profile fields.

        Without these scopes, Calibo may not receive the information needed to create or map user accounts correctly.

  • Plan for Credential and Token Management

    OIDC relies on short-lived tokens and periodically rotated secrets.

    Plan how your organization will handle these securely:

    • Store the Client Secret in a password vault or secret manager.

    • Rotate the secret periodically and update it in Calibo.

    • Ensure your IdP’s JWKS endpoint is publicly accessible and automatically refreshed when signing keys rotate.

After all the above prerequisites are in place, you can proceed with configuring OIDC in Calibo Accelerate using either the Manual Configuration or Discovery Endpoint option.

Steps to Edit SSO Settings

To edit your OIDC SSO configuration, do the following:

  1. Go to Platform Setup > Security & SSO.

  2. In the Configured Identity Provider section, you will see your existing OIDC SSO configuration.

  3. In the OIDC SSO configuration card, click the ellipsis (⋯) and select Edit.

  4. The following confirmation message appears. Click Proceed to continue.

    Confirmation message before editing Azure AD SSO configuration

  5. On the Edit Single Sign-On screen, your existing SAML SSO configuration is displayed. You can review or edit the values as mentioned in the following steps:

    1. Configured Domain

    When you edit your OIDC SSO configuration, the domain field is auto-populated with the domain that was used in your previous configuration.

    You cannot edit this field — Calibo enforces the same domain to ensure continuity of user identity mapping.

    Select the following checkbox:

    Auto-populated domain field and domain confirmation check box

2. Select a Configuration Method to Edit OIDC Details

You can edit OIDC details either manually or via discovery endpoint (if supported by your IdP).

Option A — Configure Manually

Select this method if your IdP requires explicit configuration or does not expose a discovery endpoint.

You can update the following details:

Field Description
Client ID A unique identifier for your OIDC application, generated when you register Calibo in your IdP.
Client Secret A confidential key issued by your IdP to authenticate Calibo when exchanging authorization codes for tokens.
Authorization URL

The endpoint in your IdP where users are redirected to sign in. Typically ends with /authorize.

Example: https://dev-123456.okta.com/oauth2/default/v1/authorize.
Token URL

The endpoint used to exchange the authorization code for access and ID tokens.

Example: https://dev-123456.okta.com/oauth2/default/v1/token.
Logout URL The endpoint used to terminate the user session in the IdP. Ensures logout from both Calibo and the IdP.
Issuer URL The unique identifier for your IdP as the token issuer. Must match the iss claim in the ID token.
JWKS URL

The endpoint where your IdP hosts JSON Web Key Sets (JWKS) used to verify token signatures.

Example: https://dev-123456.okta.com/oauth2/default/v1/keys.
User Info URL The endpoint that returns user profile information (email, firstName, lastName, etc.) after authentication.

 

Configuring OIDC details manually

Tip:

 

You can obtain most of these URLs from your IdP’s .well-known/openid-configuration endpoint if available.

Option B — Import Using Discovery Endpoint

Select this option if your IdP exposes a discovery endpoint.

Do the following:

  1. Select Import Using Discovery Endpoint.

  2. Update the following details:

    Field Description
    Client ID Provide the unique identifier assigned to the Calibo Accelerate application when it was registered in your IdP. This identifies Calibo as a trusted OIDC client.
    Client Secret Enter the confidential key generated by your IdP. Calibo uses this key to securely authenticate itself when exchanging authorization codes for tokens.
    Discovery Endpoint

    Provide the URL of your IdP’s OpenID Connect Discovery Document — usually ending with: /well-known/openid-configuration.

    Example: https://auth.<your-idp-domain>.au/<application-id>/as/.well-known/openid-configuration

  3. Click Import

    After entering the above details, click Import.

    Importing OIDC URL metadata using Discovery Endpoint

    Calibo Accelerate automatically retrieves and populates the following configuration values:

    • Authorization URL

    • Token URL

    • Logout URL (if provided)

    • Issuer URL

    • JWKS URL (for public key verification)

    • User Info URL

      OIDC details imported to Calibo Accelerate

Click Next to proceed.

Click Cancel and then, in the confirmation message, click Yes to discard your unsaved identity provider configuration changes and go back to the previous screen.

3. Complete and Validate OIDC Configuration

After the above configuration is complete, the next screen confirms that your SSO settings have been successfully updated in Calibo Accelerate.

SSO configuration complete in Calibo Accelerate: Update redirect URL in IdP

Next Step: Update Redirect URI in IdP's App Settings

To complete the update, you must add the Redirect URI shown on this screen to your IdP’s OIDC application settings.

This URI ensures that your IdP can redirect authenticated users back to Calibo after successful sign-in.

The redirect URI looks similar to the following:

https://accelerate-<environment>.<your domain>/auth/realms/<Calibo Accelerate tenantID>/broker/oidc/endpoint

To add this redirect URI to your IdP, do the following:

  1. Copy the Redirect URI displayed on this screen.

  2. Go to your IdP’s admin console and open your registered Calibo application.

  3. Locate the Redirect URIs or Authorized Redirect URLs section.

  4. Paste the URI exactly as shown and save the configuration.

If the redirect URI is not added in your IdP, validation will fail and users will not be able to log in via SSO.

4. Validate Single Sign-on

After adding the Redirect URI in your IdP, on the screen from where you copied the redirect URI, do the following:

Validating OIDC SSO

  1. In the Validate Single Sign-on section, click Validate.

    This takes you to the Calibo Accelerate sign-in screen. Sign in using SSO credentials from the configured domain. After a successful authentication redirection and SSO validation, the following success message is displayed.

    SSO validation successful

  2. Return to the SSO configuration screen and click the Refresh icon to complete your SSO configuration.

    Click Refresh to complete SSO configuraion

  3. After you see the message confirming that your SSO validation is successful, click Finish.

    Click Finish to complete SSO updates

If validation fails, verify the Redirect URI, Client ID, Client Secret, and Discovery Endpoint settings in your IdP configuration.

After you click Finish, your current session will automatically end. You will be logged out of the platform and will need to sign in again using your updated OIDC credentials.