AdministrationAuthentication

OIDC SSO

Setting up OpenID Connect authentication with your identity provider

OpenID Connect (OIDC) is a modern authentication protocol built on OAuth 2.0. This guide walks you through configuring OIDC SSO for your Opik organization.

OIDC SSO is available on Enterprise plans. This feature is not available in open-source deployments. Reach out if you want to enable this feature for your Opik deployment.

Prerequisites

Before you begin, ensure you have:

  • Organization admin access to Opik
  • Admin access to your identity provider that supports OIDC
  • Enterprise plan enabled for your organization
  • Email domain you want to use for SSO (e.g., company.com)

OIDC vs. SAML

OIDC offers several advantages over SAML:

FeatureOIDCSAML
ProtocolREST/JSON-basedXML-based
Token formatJWTXML assertions
Setup complexitySimplerMore complex
Mobile/API friendlyYesLimited
Workspace syncVia default workspaceVia attribute mapping

Choose OIDC when:

  • Your IdP supports OIDC (most modern IdPs do)
  • You prefer simpler configuration
  • You don’t need attribute-based workspace sync

Choose SAML when:

  • You need automatic workspace assignment based on user attributes
  • Your organization requires SAML specifically

Configuration overview

Setting up OIDC SSO involves:

  1. Register Opik in your identity provider as an OIDC application.
  2. Configure Opik with your IdP’s OIDC endpoints and credentials.

Step 1: Register Opik in your IdP

Create a new OIDC/OAuth application in your identity provider:

Application settings

SettingValue
Application typeWeb application
Grant typeAuthorization Code
Redirect/Callback URLhttps://www.comet.com/opik/oauth/callback/<organization-id>

The exact callback URL will be displayed in your Opik SSO configuration page. Copy it directly from there.

Required scopes

Ensure your OIDC application requests these scopes:

  • openid - Required for OIDC
  • profile - User profile information
  • email - User’s email address

Step 2: Gather IdP information

After registering the application, collect the following from your IdP:

InformationDescriptionWhere to find
Client IDUnique identifier for your applicationIdP application settings
Client SecretSecret key for authenticationIdP application settings
Authorization URLEndpoint for authorization requestsIdP documentation or well-known endpoint
Token URLEndpoint to exchange codes for tokensIdP documentation or well-known endpoint
User Info URLEndpoint to fetch user profileIdP documentation or well-known endpoint

Well-known endpoint: Most OIDC providers expose a discovery document at /.well-known/openid-configuration containing all endpoint URLs.

Step 3: Configure Opik

  1. Navigate to Admin Dashboard > SSO Configuration.
  2. Select OIDC as the SSO protocol.
  3. Enter the following settings:

Required OIDC settings

FieldDescriptionExample
DomainEmail domain for SSO userscompany.com
Client IDApplication identifier from your IdPabc123xyz
Client SecretSecret key from your IdPsecret_...
Authorization URLIdP’s authorization endpointhttps://idp.company.com/oauth/authorize
Token URLIdP’s token endpointhttps://idp.company.com/oauth/token
Callback URLOpik’s callback URLhttps://www.comet.com/opik/oauth/callback/...
User Info URLIdP’s user info endpointhttps://idp.company.com/oauth/userinfo

Optional OIDC settings

FieldDescriptionDefault
Default WorkspaceWorkspace for new SSO usersOrganization default
Application Resource IDCustom resource identifierNot set

Field reference

Client ID

The unique identifier assigned to Opik when you registered it with your IdP:

  • Created when you register the application
  • Used in authorization requests to identify Opik
  • Should be treated as public (not secret)

Client Secret

The secret key used to authenticate Opik with your IdP:

  • Created when you register the application
  • Used when exchanging authorization codes for tokens
  • Must be kept secret - never expose in client-side code

Security: The client secret is sensitive. If compromised, regenerate it in your IdP and update the configuration in Opik.

Authorization URL (Auth Base URL)

The endpoint where users are redirected to authenticate:

https://idp.company.com/oauth/authorize

This URL receives authorization requests with:

  • client_id - Your application’s client ID
  • redirect_uri - The callback URL
  • scope - Requested permissions
  • response_type - Always code for authorization code flow
  • state - Security parameter to prevent CSRF

Token URL (Access Token URL)

The endpoint where Opik exchanges authorization codes for access tokens:

https://idp.company.com/oauth/token

Opik sends a POST request with:

  • grant_type - Always authorization_code
  • code - The authorization code received
  • redirect_uri - The callback URL
  • client_id and client_secret - For authentication

Callback URL

The URL where your IdP redirects users after authentication:

https://www.comet.com/opik/oauth/callback/<organization-id>
  • Must be registered in your IdP’s allowed redirect URIs
  • Must match exactly (including trailing slashes)
  • Opik generates this URL based on your organization ID

Protected Resource URL (User Info URL)

The endpoint where Opik fetches user profile information:

https://idp.company.com/oauth/userinfo

Opik uses the access token to request:

  • sub - User’s unique identifier
  • email - User’s email address
  • name - User’s display name

Default Workspace

When users authenticate via OIDC for the first time:

  • They are added to the default workspace specified in SSO settings.
  • If not specified, they are added to the organization’s default workspace.
  • Workspace assignment can be managed manually after initial login.

Unlike SAML with workspace sync, OIDC does not support automatic workspace assignment based on user attributes. Users are added to the default workspace on first login.

IdP-specific configuration guides

Configuring Okta

  1. In Okta Admin Console, go to Applications > Create App Integration.
  2. Select OIDC - OpenID Connect and Web Application.
  3. Configure settings:
    • Sign-in redirect URI: Your callback URL from Opik
    • Sign-out redirect URI: https://www.comet.com/opik
    • Controlled access: Assign users/groups as needed
  4. Note the Client ID and Client Secret.
  5. Find endpoints in Okta’s OpenID Connect Metadata or use:
    • Authorization: https://<your-domain>.okta.com/oauth2/v1/authorize
    • Token: https://<your-domain>.okta.com/oauth2/v1/token
    • User Info: https://<your-domain>.okta.com/oauth2/v1/userinfo

Testing the configuration

After configuring both Opik and your IdP:

  1. Open an incognito/private browser window (to avoid cached sessions).
  2. Navigate to Opik’s login page.
  3. Enter an email address with your configured domain.
  4. You should be redirected to your IdP for authentication.
  5. After authenticating, you should be redirected back to Opik and logged in.

Troubleshooting

Common issues

IssuePossible causeSolution
”Invalid redirect URI”Callback URL mismatchVerify callback URL matches exactly in both Opik and IdP
”Invalid client”Wrong client IDVerify client ID is copied correctly
”Invalid client credentials”Wrong client secretVerify client secret, regenerate if needed
”Scope not allowed”IdP scope restrictionsEnsure openid, profile, email scopes are allowed
User not createdMissing email claimVerify IdP returns email in user info response

Troubleshooting checklist

  1. Verify client credentials: Double-check client ID and secret.
  2. Check callback URL: Must match exactly (including protocol, trailing slashes).
  3. Validate endpoint URLs: Ensure all URLs are correct and accessible.
  4. Review IdP logs: Check your identity provider’s logs for errors.
  5. Test well-known endpoint: Verify /.well-known/openid-configuration returns valid JSON.
  6. Check scopes: Ensure required scopes are configured and allowed.

Debugging with browser tools

Use browser developer tools to inspect the authentication flow:

  1. Open Network tab before starting login.
  2. Look for requests to your IdP’s authorization endpoint.
  3. Check for error parameters in the callback URL.
  4. Review any error responses from the token endpoint.

Security considerations

Client secret protection

  • Store the client secret securely in Opik’s configuration.
  • Never expose the client secret in logs or client-side code.
  • Rotate the secret periodically per your security policies.

Callback URL validation

  • Only configure the exact callback URL provided by Opik.
  • Do not add additional redirect URIs unless necessary.
  • Review registered redirect URIs periodically.

Token handling

Opik handles tokens securely:

  • Access tokens are used server-side only.
  • Tokens are not exposed to the browser.
  • Sessions are managed securely after authentication.

Next steps