> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring OIDC authentication

> Configure OpenID Connect (OIDC) authentication for your Omni organization.

OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0. When enabled, users in your organization can log into Omni using credentials from any OIDC-compliant identity provider.

## Requirements

To follow the steps in this guide, you'll need:

* **Omni Organization Admin permissions**
* **Access to your OIDC identity provider** with permissions to:
  * Create or configure applications
  * Access client credentials and discovery endpoints

## Limitations

**User sessions will expire after 24 hours**. This is not currently configurable.

## Setup

<Steps>
  <Step title="Retrieve OIDC provider details">
    In your OIDC identity provider, obtain the following information:

    * **Issuer URL** - The issuer URL of your OIDC server
    * **Client ID** - The unique identifier for your Omni application
    * **Client Secret** - The secret key for authenticating your application

    Keep this information handy - you'll need it to complete the setup in Omni.

    <Note>
      The exact steps to obtain these values will vary depending on your identity provider. Consult your provider's documentation for specific instructions on creating an OIDC application.
    </Note>
  </Step>

  <Step title="Configure redirect URI in your identity provider">
    In your OIDC identity provider's application settings, you'll need to configure the **Redirect URI** (also called **Callback URL**).

    The redirect URI should be in the following format:

    ```html wrap theme={null}
    https://[your-omni-subdomain].omniapp.co/auth/oidc/callback
    ```

    For example, if you log in to `https://blobsrus.omniapp.co`, your redirect URI would be:

    ```html wrap theme={null}
    https://blobsrus.omniapp.co/auth/oidc/callback
    ```
  </Step>

  <Step title="Configure Omni authentication settings">
    In Omni, navigate to **Settings > Authentication > OIDC Configuration** to complete the setup:

    * **Display name** - Enter a name, for example `Blobs R Us auth`
    * **Issuer URL** - Paste the issuer URL from your OIDC provider.
    * **Client ID** - Copy and paste the Client ID from your OIDC provider
    * **Client Secret** - Copy and paste the Client Secret from your OIDC provider
    * **Automatically provision new users on first login from this OIDC provider** - Toggle this setting to **on** if you want to provision users only when they first access Omni
    * **Enable OIDC for users** - Toggle this setting to **on** to enable OIDC authentication

    When finished, click **Save OIDC changes**.
  </Step>

  <Step title="Test the setup">
    Test your OIDC setup by logging out of Omni. On the Omni login page, you should see a **Log in with OIDC** button. Click the button to log in using OIDC.

    If the setup is successful, you can proceed to assign the application to other users in your organization through your identity provider.
  </Step>
</Steps>

**Note**: when users are removed from your OIDC system they will be de-provisioned and revoked in Omni which has implications for the schedules and content they own. See the [Revoke Membership](/administration/users/delete) page for more details.