SSO (OIDC)
Asiri also supports OpenID Connect (OIDC) as an alternative to SAML. OIDC is the simpler protocol of the two — if your identity provider supports both, pick whichever your team is already operating. The user experience, domain verification, and role mapping behave identically.
Configuration lives at Settings → SSO → Provider: OIDC and requires the admin role.
Flow model
Like SAML, OIDC sign-in in Asiri v1 is SP-initiated only: the user starts at
app.asiri.ng and is redirected to your IdP. IdP-initiated
sign-in is not supported.
What you need
Three values from your IdP:
| Field | Description |
|---|---|
| Issuer URL | The OIDC issuer — must be https://. Asiri derives the discovery endpoint from it. |
| Client ID | The application id your IdP issued for Asiri. |
| Client secret | The corresponding secret. Stored encrypted and never returned over the API. |
Asiri uses the OIDC authorization code flow with PKCE, requests the openid,
email, and profile scopes, and reads email and name from the userinfo response.
Callback URL Asiri publishes
Register this URL as a permitted redirect URI in your IdP application config:
https://api.asiri.ng/api/auth/sso/callback/tenant-{your-tenant-id}Replace {your-tenant-id} with the workspace tenant id shown at Settings → SSO.
Setup
- In your IdP, create an OIDC application.
- Set the redirect URI to the Asiri callback URL above.
- Copy the Issuer URL, Client ID, and Client secret out of your IdP.
- In Asiri, go to Settings → SSO, switch the provider to OIDC, and paste the three values.
- Set the default role for newly provisioned users (see Role mapping).
- Add at least one enforced domain and verify ownership — same DNS TXT flow as SAML; see Domain verification.
- Toggle Enabled and save.
Asiri will hit {issuer}/.well-known/openid-configuration at sign-in time to resolve the
authorization, token, and userinfo endpoints. The issuer URL must be reachable from
Asiri’s network.
Editing the client secret
The client secret is write-only. The settings page shows whether one is currently set
(hasOidcClientSecret: true) but never the value. Leaving the secret field blank when
you save preserves the existing secret. To rotate, paste the new value over the blank
field and save.
Role mapping
Every user provisioned through OIDC is assigned the workspace’s defaultRole. The
allowed values, semantics, and propagation behaviour are identical to SAML — see
SSO (SAML) → Role mapping.
For per-user role assignment, use SCIM provisioning.
Troubleshooting
”Discovery endpoint unreachable”
The issuer URL is wrong, or your IdP isn’t publishing
/.well-known/openid-configuration. Confirm the URL by opening
{issuer}/.well-known/openid-configuration in a browser — you should see JSON.
”Invalid redirect URI”
The redirect URI you registered in your IdP doesn’t match Asiri’s callback URL. The URL
must end in tenant-{your-tenant-id} exactly — no trailing slash, no extra path.
”Invalid client” / “Authentication failed”
The client ID or secret you saved in Asiri doesn’t match what your IdP expects. Re-copy both from the IdP application and save again. Note that pasting a secret with leading or trailing whitespace will fail silently — the API trims, but some IdPs treat whitespace as significant.
”Domain not verified”
OIDC sign-in succeeded at your IdP but the user’s email domain isn’t DNS-verified on this workspace. See SSO (SAML) → Domain verification for the TXT record format.