OpenID Connect
Configure any OpenID Connect compliant identity provider for modern authentication with AccessIQ.
Recommended Protocol
OpenID Connect is the recommended protocol for new integrations. It provides modern authentication built on OAuth 2.0 with simpler configuration than SAML.
AccessIQ OIDC Configuration
Use these values when registering AccessIQ with your identity provider:
| Field | Value |
|---|---|
| Redirect URI | https://auth.accessiq.io/callback/oidc |
| Post-Logout Redirect URI | https://auth.accessiq.io/logout |
| Application Type | Web Application |
| Grant Types | Authorization Code |
Configure OIDC Provider
Using Discovery URL (Recommended)
Most OIDC providers support automatic discovery via the well-known endpoint:
Configure via Discovery URLbash
curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "oidc",
"name": "Corporate IdP",
"enabled": true,
"config": {
"clientId": "YOUR_CLIENT_ID",
"clientSecret": "YOUR_CLIENT_SECRET",
"discoveryUrl": "https://your-idp.com/.well-known/openid-configuration",
"scopes": ["openid", "profile", "email"]
},
"domains": ["yourcompany.com"]
}'Manual Configuration
If your provider doesn't support discovery, configure endpoints manually:
Manual OIDC Configurationbash
curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "oidc",
"name": "Corporate IdP",
"enabled": true,
"config": {
"clientId": "YOUR_CLIENT_ID",
"clientSecret": "YOUR_CLIENT_SECRET",
"issuer": "https://your-idp.com",
"authorizationEndpoint": "https://your-idp.com/oauth/authorize",
"tokenEndpoint": "https://your-idp.com/oauth/token",
"userInfoEndpoint": "https://your-idp.com/oauth/userinfo",
"jwksUri": "https://your-idp.com/.well-known/jwks.json",
"scopes": ["openid", "profile", "email"]
},
"domains": ["yourcompany.com"]
}'Common Scopes
| Scope | Description | Claims |
|---|---|---|
openid | Required for OIDC | sub |
profile | User profile info | name, family_name, given_name, picture |
email | Email address | email, email_verified |
groups | Group memberships | groups (provider-specific) |
Claim Mapping
Map ID token claims to AccessIQ user attributes:
OIDC Claim Mappingjson
{
"attributeMapping": {
"email": "email",
"firstName": "given_name",
"lastName": "family_name",
"displayName": "name",
"picture": "picture",
"groups": "groups",
"department": "custom:department"
}
}Custom Claims
Many IdPs support custom claims. Configure these in your IdP and map them using the
custom: prefix or the exact claim name.Advanced Options
PKCE
Proof Key for Code Exchange adds an extra layer of security. AccessIQ uses PKCE by default when supported by the IdP.
Enable PKCEjson
{
"config": {
"usePKCE": true,
"pkceMethod": "S256"
}
}Token Authentication Method
Configure how client credentials are sent to the token endpoint:
Token Endpoint Authjson
{
"config": {
"tokenEndpointAuthMethod": "client_secret_post"
// Options: "client_secret_basic", "client_secret_post", "private_key_jwt"
}
}Response Mode
Configure how the authorization response is returned:
Response Modejson
{
"config": {
"responseMode": "query"
// Options: "query", "fragment", "form_post"
}
}Testing the Connection
Test OIDC Connectionbash
curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/identity-providers/IDP_ID/test \
-H "Authorization: Bearer YOUR_API_KEY"
# Response
{
"success": true,
"message": "OIDC configuration valid",
"metadata": {
"issuer": "https://your-idp.com",
"supportedScopes": ["openid", "profile", "email", "groups"],
"supportedResponseTypes": ["code", "token", "id_token"],
"tokenEndpointAuthMethods": ["client_secret_basic", "client_secret_post"]
}
}Secret Rotation
Rotate client secrets periodically for security. AccessIQ supports configuring a new secret while keeping the old one active during the transition period.