Configure Single Sign-on with OpenID Connect (OIDC)

Calibo Accelerate supports Single Sign-on (SSO) using OpenID Connect (OIDC) — a modern authentication protocol built on top of OAuth 2.0.

Using OIDC, you can securely integrate Calibo Accelerate with enterprise identity providers (IdPs) such as Okta, or Ping Identity.

OIDC allows users to authenticate with their existing corporate credentials while maintaining centralized identity control and reducing password management overhead.

Before You Start (Prerequisites)

Before setting up OIDC-based Single Sign-on (SSO) in Calibo Accelerate, make sure your organization’s identity and access management setup meets the following prerequisites.

  • Have Administrative Access to Your Identity Provider (IdP)

    You must have administrator privileges in your organization’s OIDC-compatible Identity Provider.

    This allows you to:

    • Create a new OIDC client/application for Calibo Accelerate.

    • Retrieve essential credentials such as the Client ID and Client Secret.

    • Configure the Redirect URI and Logout URI provided by Calibo.

    • Access the IdP’s Discovery URL or related metadata endpoints (if supported).

  • Decide the Email Domain to Associate with Your Tenant

    Each tenant in Calibo Accelerate is tied to an email domain (for example, mycompany.com).

    When you configure OIDC SSO in Calibo Accelerate, you must specify this domain in the F24H wizard. Only users whose email addresses match this domain can be added and sign in to the tenant through SSO.

    For example, if you specify mycompany.com as your domain, a user with ajones@mycompany.com can be added, but a user with ajones@partner.org cannot be added.

  • Register Calibo Accelerate as an Application in Your IdP

    Before starting configuration in Calibo:

    1. Log in to your IdP’s admin console.

    2. Create a new OIDC application (client).

    3. Select Web Application (if prompted for application type).

    4. Note the following generated values:

    • Client ID (unique identifier for Calibo)

    • Client Secret (used for secure token exchange)

    • Issuer URL (base URL of your IdP tenant, often ending with /oauth2/default)

    When you reach the Redirect URI step in the F24H wizard, you will need to return to your IdP and add the provided URI (for example, https://accelerate-dis.calibo.com/auth/realms/<TenantID>/broker/oidc/endpoint)

  • Prepare Users in Your Identity Provider

    The users you plan to add in Calibo Accelerate must already exist in your IdP with valid email addresses on the configured domain.

    At least one of these users (typically a real business user or admin) will be used for validating the SSO connection after setup.

    Unlike SAML integrations, OIDC does not require manual attribute mapping in advance.

    However, your IdP should expose the standard OIDC claims — email, given_name, and family_name — through its user profile or token scopes.

  • Define Attribute and Scope Requirements

    Confirm that your IdP application is configured to include the following scopes and claims:

    • Scopes: openid, email, profile (minimum required).

    • Claims:

      • email – used as the Calibo login identifier.

      • given_name and family_name – populate user profile fields.

        Without these scopes, Calibo may not receive the information needed to create or map user accounts correctly.

  • Plan for Credential and Token Management

    OIDC relies on short-lived tokens and periodically rotated secrets.

    Plan how your organization will handle these securely:

    • Store the Client Secret in a password vault or secret manager.

    • Rotate the secret periodically and update it in Calibo.

    • Ensure your IdP’s JWKS endpoint is publicly accessible and automatically refreshed when signing keys rotate.

After all the above prerequisites are in place, you can proceed with configuring OIDC in Calibo Accelerate using either the Manual Configuration or Discovery Endpoint option.

Configuring OIDC Details in Calibo Accelerate

In the F24H Wizard, after selecting the OpenID Connect (OIDC) option, you need to enter your IdP connection details.

This configuration establishes the trust between your IdP and Calibo Accelerate for authenticating users.

You can configure these details either manually or via discovery endpoint (if supported by your IdP).

Option A — Configure Manually

Select this method if your IdP requires explicit configuration or does not expose a discovery endpoint.

You’ll need to provide the following details:

Field Description
Domain The corporate email domain associated with your Calibo Accelerate tenant (for example, mycompany.com). Only users with this domain can be added to the tenant.
Client ID A unique identifier for your OIDC application, generated when you register Calibo in your IdP.
Client Secret A confidential key issued by your IdP to authenticate Calibo when exchanging authorization codes for tokens.
Authorization URL

The endpoint in your IdP where users are redirected to sign in. Typically ends with /authorize.

Example: https://dev-123456.okta.com/oauth2/default/v1/authorize.
Token URL

The endpoint used to exchange the authorization code for access and ID tokens.

Example: https://dev-123456.okta.com/oauth2/default/v1/token.
Logout URL The endpoint used to terminate the user session in the IdP. Ensures logout from both Calibo and the IdP.
Issuer URL The unique identifier for your IdP as the token issuer. Must match the iss claim in the ID token.
JWKS URL

The endpoint where your IdP hosts JSON Web Key Sets (JWKS) used to verify token signatures.

Example: https://dev-123456.okta.com/oauth2/default/v1/keys.
User Info URL The endpoint that returns user profile information (email, firstName, lastName, etc.) after authentication.

 

Configuring OIDC details manually

Tip:

 

You can obtain most of these URLs from your IdP’s .well-known/openid-configuration endpoint if available.

Option B — Import Using Discovery Endpoint

If your IdP supports OIDC discovery, simply provide the Discovery URL — the standard .well-known/openid-configuration endpoint.

Calibo Accelerate automatically retrieves the required URLs (Authorization, Token, Issuer, JWKS, and User Info).

Most modern identity providers (IdPs) such as Ping Identity or Okta expose a discovery endpoint that automatically provides all the required metadata for the connection.

When you choose the Import using Discovery Endpoint option, Calibo retrieves the necessary configuration details directly from your IdP — including the Authorization URL, Token URL, JWKS URL, Issuer, and User Info URL — without requiring manual entry.

Do the following:

  1. Select Import using Discovery Endpoint.

    On the Configure Single Sign-on screen, select the Import using Discovery Endpoint option.

  2. Enter the following details:

    Field Description
    Domain Specify the corporate email domain associated with this tenant (for example, mycompany.com). Only users whose email addresses match this domain can be added to the Calibo Accelerate platform.
    Client ID Provide the unique identifier assigned to the Calibo Accelerate application when it was registered in your IdP. This identifies Calibo as a trusted OIDC client.
    Client Secret Enter the confidential key generated by your IdP. Calibo uses this key to securely authenticate itself when exchanging authorization codes for tokens.
    Discovery Endpoint

    Provide the URL of your IdP’s OpenID Connect Discovery Document — usually ending with: /well-known/openid-configuration.

    Example: https://auth.<your-idp-domain>.au/<application-id>/as/.well-known/openid-configuration

  3. Click Import

    After entering the above details, click Import.

    Importing OIDC URL metadata using Discovery Endpoint

    Calibo Accelerate automatically retrieves and populates the following configuration values:

    • Authorization URL

    • Token URL

    • Logout URL (if provided)

    • Issuer URL

    • JWKS URL (for public key verification)

    • User Info URL

    OIDC details imported to Calibo Accelerate

Adding Users and Assigning Administrators in Calibo Accelerate

After successfully configuring your OpenID Connect (OIDC) details and importing your IdP metadata, the next step in the F24H Wizard is to add users who will access the Calibo Accelerate platform under this tenant.

At this stage, automatic user synchronization from your IdP is not yet supported for OIDC. Therefore, you must manually add users who will have access to this tenant.

Adding Users Manually

  1. Click Add Users.

  2. In the side drawer, provide the following details for each user:

    • First Name: Enter the first name.

    • Last Name: Enter the last name.

    • Email Address – This must belong to the domain you configured during SSO setup (for example, @mycompany.com).

    • Country: Select a country from the dropdown list.

    To add all desired users, repeat the above steps. Include all individuals who need immediate access to the Calibo Accelerate tenant — such as product owners, developers, DevOps engineers, or administrators.

    Adding users to OIDC-based tenant

    Note:

    Since user synchronization is not yet available for OIDC configurations, any new users you want to onboard later must also be manually added through the Users, Roles, Teams, and Organization Hierarchy section of the platform.

  3. After you add all desired users, click Next to select tenant administrators.

Selecting Administrators

  1. On the Select Administrators screen, click inside the search bar.

  2. Start typing the name of a user you added on the previous screen.

    As you type, a dropdown list appears showing matching user names.

  3. Click the user’s name from the search results to select them as an administrator.

  4. Repeat the process to add multiple administrators, if required. You can assign one or more users as administrators based on your organization’s governance model.

  5. After you add administrators, click Next to review the list of platform users and administrators.

Reviewing Platform Users

The Platform Users screen displays the list of all the administrators and users you chose to add to the Calibo Accelerate platform in the previous steps. The details such as each user's name, email address, and country are displayed. The Status column indicates whether the user was successfully added or if there was an issue. In case of failure, review the error messages and take the necessary action.

Screen showing the list of users and administrators added to the platform tenant

Click Next to proceed.

Completing and Validating OIDC Configuration

After you add users, select administrators, and review the user summary, the next screen confirms that your OpenID Connect (OIDC) setup is complete in Calibo Accelerate.

This screen also guides you through the final step — establishing trust between Calibo and your Identity Provider (IdP).

OIDC SSO configuration complete in Calibo Accelerate

Next Step: Add the Redirect URI to Your Identity Provider

To complete the integration, you must add the Redirect URI shown on this screen to your IdP’s OIDC application settings.

This URI ensures that your IdP can redirect authenticated users back to Calibo after successful sign-in.

The redirect URI looks similar to the following:

https://accelerate-<environment>.<your domain>/auth/realms/<Calibo Accelerate tenantID>/broker/oidc/endpoint

To add this redirect URI to your IdP, do the following:

  1. Copy the Redirect URI displayed on this screen.

  2. Go to your IdP’s admin console and open your registered Calibo application.

  3. Locate the Redirect URIs or Authorized Redirect URLs section.

  4. Paste the URI exactly as shown and save the configuration.

If the redirect URI is not added in your IdP, validation will fail and users will not be able to log in via SSO.

Validating Single Sign-on

After adding the Redirect URI in your IdP, on the screen from where you copied the redirect URI, do the following:

Validating OIDC SSO

  1. In the Validate Single Sign-on section, click Validate.

    This takes you to the Calibo Accelerate sign-in screen. Sign in using an existing user with SSO credentials from the configured domain. After a successful authentication redirection and SSO validation, the following success message is displayed.

    SSO validation successful

  2. Return to the SSO configuration screen and click the Refresh icon to complete your SSO configuration.

    Click Refresh to complete SSO configuration

  3. After you see the message confirming that your SSO validation is successful, click Finish to exit the F24H wizard.

    SSO configuration successful: Click Finish to exit F24H Wizard

If validation fails, verify the Redirect URI, Client ID, Client Secret, and Discovery Endpoint settings in your IdP configuration.

Note:

After you click Finish and exit the F24H wizard, the credentials using which you signed in to the F24H wizard will not work anymore. The administrator(s) that you selected in the earlier step can sign in to the Calibo Accelerate platform by using SSO credentials, add more users to the platform, and perform other administrative tasks.

Related Topics Link IconRecommended Topics

What's next?Platform Setup