Setting up OpenID Connect as single sign-on (SSO) option

  • Updated on Nov 20, 2025
  • Published on Nov 12, 2025
  • 3 minute(s) read
Prev Next

You can set up the Administration Web Interface to integrate with an OpenID Connect (OIDC) provider, such as Microsoft Entra ID, to use it as an external authentication method for single sign-on. This allows administrative users to authenticate and sign in to the Administration Web Interface via OIDC.

This topic explains how to set up OpenID Connect as SSO option for the Administration Web Interface. For a conceptual overview of the SSO process, see Single sign-on with OpenID Connect.

Before you begin

Ensure you have the following:

  • You have successfully set up Microsoft Entra ID to be used as external authentication method.

  • You have an administrative user with the Set Global Configuration Options privilege.

Set up for Microsoft Entra ID

Setting up Microsoft Entra ID as external authentication method for Administration Web Interface includes the following tasks:

  1. Enable and configure OpenID Connect in the Administration Web Interface

  2. Enable Open ID Connect in the Message Deliver Component (MDC)

  3. Define the required user role templates

  4. Create a OneSpan Authentication Server policy

Task 1: Enable and configure OpenID Connect in the Administration Web Interface

To allow users to sign in to the Administration Web Interface via OpenID Connect, you need to enable and configure this in the global configuration settings.

  1. Sign in to the Administration Web Interface.

  2. Select SERVERS > Global Configuration.

  3. Switch to the OpenID Connect tab.

  4. Click EDIT.

  5. Select Enable OpenID Connect and configure the OIDC settings according to your EAM configuration (see OpenID Connect settings).

  6. Click SAVE.

Task 2: Enable OpenID Connect in the Message Delivery Component (MDC)

During the OpenID Connect authentication process, OneSpan Authentication Server requests an ID token from the OIDC provider’s token endpoint and retrieves the keys from the OIDC provider’s key endpoint. These requests are sent and handled via the Message Delivery Component (MDC), which must be configured accordingly.

  1. Start the MDC Configuration Utility (see Using the MDC Configuration Utility).

  2. Switch to the OpenID Connect tab.

  3. Select Enable OpenID Connect integration.

  4. If required, you can specify the path and name of a custom certification authority (CA) bundle file in the Certificate file box. By default, this is set to the CA bundle file included in OneSpan Authentication Server.

  5. Click OK to save the changes and confirm to restart the MDC service/daemon.

Task 3: (OPTIONAL) Define the required user role templates

User role templates are user accounts that are unused and not linked to a real person. They serve as templates to create regular user accounts for users that sign in with the OpenID Connect option, but do not have a OneSpan Authentication Server user account yet. A user role template defines the user account settings that should apply to a group of users, e.g., the administrator level and the administrative privileges.

When a user without a OneSpan Authentication Server user account attempts to sign in to the Administration Web Interface via OpenID Connect, OneSpan Authentication Server evaluates the role settings of the effective policy and the role claim sent by the OIDC provider to determine an applicable user role template. If the respective user role template exists, OneSpan Authentication Server creates a new user account accordingly based on the user role template. For this to work, you need to enable DUR in the respective policy (see Task 4: Create a OneSpan Authentication Server policy

To create a user role template, create a regular (non-service) user account as you would usually do (see Creating a user account). Set the user ID based on the role template pattern and the expected role claims (see OpenID Connect settings), but leave the password empty to prevent the user account from being used for regular login.

Assume you define ROLE_TEMPLATE_FOR_{role} as the role template pattern and set the default role to reporter. If you expect the OIDC provider to return the role claims user_admin and global_admin, the you would need to create the following user accounts to be used as user role templates:

  • ROLE_TEMPLATE_FOR_reporter

  • ROLE_TEMPLATE_FOR_user_admin

  • ROLE_TEMPLATE_FOR_global_admin

You can create user role templates in any domain you like. However, note that the user role templates are identified by the user ID only. If you create two user role templates with the same user ID in different domains, the OIDC process cannot uniquely resolve the correct user role template and will fail. In general, we recommend to put all user role templates in one domain to simplify organization and prevent conflicts.

Task 4: (OPTIONAL) Create a OneSpan Authentication Server policy

This task is required if you want to allow new user accounts being created based on user role templates. To allow this, the effective policy for the Administration Program component must enable dynamic user registration (DUR), which is not enabled in the default policy (Identikey Administration Logon).

Create a new policy based on the Identikey Administration Logon policy (see Creating a policy) and set User > Dynamic User Registration to Yes.