Configure single sign-on with OIDC

Follow these steps to enable single sign-on (SSO) with OpenID Connect (OIDC) in your DigiCert ONE account. If another sign in method is also enabled, users can select which method to use.

Prerequisites

Before configuring OIDC in DigiCert ONE:

Have administrator access to your company's identity provider (IDP) service, such as PingOne and Okta.
Register DigiCert ONE as an OIDC application with your identity provider (IDP).
Configure your IDP to send a preferred_username claim in the ID token.

Tip

To learn how to register applications for OIDC and configure claims, refer to the documentation for your IDP.

Configure OIDC in DigiCert ONE

In the Managers (grid icon) menu, select Account.
In the Account menu, go to Accounts.
On the Accounts page, in the Name column, select the account you want enable OIDC authentication for.
On the Account details page, under Sign in settings for all-account-access users, find Single sign-on with OIDC. Select Edit.
On the Update OpenID Connect integration page, select the option to Enable OIDC authentication.
From the Update OpenID Connect integration page, copy the following values, and provide them to your IDP wherever you configure the OIDC integration with DigiCert ONE.
- Redirect / callback URL: When users sign in to an OIDC-enabled account, your OIDC service generates an authentication response and token ID. The OIDC service sends this authentication information back to DigiCert ONE using this URL.
- Login initiation endpoint: DigiCert-provided URL that users can access to sign in to DigiCert ONE using OIDC-based SSO.
- Logout endpoint: Your OIDC provider uses the logout endpoint to sign the user out of any applications they’ve logged into via the provider.
Under Enter this information from your OIDC service, enter the information your IdP provides for each of these values.
- Authorization endpoint: Authorization endpoint for your OIDC service.
- Token endpoint: Endpoint on the authorization server that DigiCert ONE can use to request access tokens from your OIDC service.
- JWKS endpoint: Endpoint on the authorization server that DigiCert ONE can use to request a JSON Web Key Set (JWKS) with the public keys to verify access token signatures.
- Client secret: Password from your IDP that DigiCert ONE can use to authenticate requests to your OIDC service.
- Client ID: ID from your IDP that DigiCert ONE can use to identify itself in requests to your OIDC service.
- ID token audience: Intended recipient of ID tokens your OIDC service generates. Must match the ID token audience configured in your IDP.
- ID token issuer: Name (URL) of the ID token issuer for your OIDC service. Must match the ID token issuer configured in your IDP.
Select Update OIDC to save your settings in DigiCert ONE.

Troubleshooting

To configure SSO with OIDC, you need to create an OIDC application for DigiCert® account in your IdP. During the process of creating this application, you need to provide DigiCert URLs. When the application is created, you need to provide to DigiCert® account with specific values from the OIDC application you created.

Tip

To perform this action, you must be an admin in your IdP.

How do I create an OIDC app for DigiCert in my IdP?

Select your IdP:

Where do I provide DigiCert URLs in my IdP?

Select your IdP:

Example 3. Microsoft Entra ID

For complete setup instructions, see Create OIDC application in Entra.

Entra requires these DigiCert URLs after you’ve created the OIDC application.

If your OIDC app is already registered:

Sign in to the Microsoft Entra admin center.
In the left pane, navigate to Microsoft Entra ID > Manage > Enterprise applications.
Select your OIDC application for DigiCert account.
From the application's overview, in the Redirect URIs field, select Add a Redirect URI.
1. In the Platform configurations section, select + Add a platform.
2. Select Web.
3. In the Configure Web page:
4. Enter the Redirect URI from DigiCert account into the Redirect URIs field.
5. Enter the Logout URL from DigiCert account into the Front-channel logout URL field.
6. Select Configure.
On the Platform configurations page, in the Web Redirect URIs section, select Add URI.
1. Enter the Login URL from DigiCert account.
2. Select Save.

Example 4. Okta

For complete setup instructions, see Create OIDC application in Okta.

Okta requires these DigiCert URLs while creating the OIDC app.

To create an OIDC app in Okta:

Sign in to your Okta Admin Console.
Go to Applications > Applications.
Select Create App integration:
Select OIDC - OpenID Connect as the Sign-in method.
Select Web application as the Application type.
Select Next.
Enter DigiCert® account as the App integration name.
Copy the following values from DigiCert and provide it in Okta:
1. Copy the Redirect URI and enter it into the Sign-in redirect URIs field in Okta
2. Copy the Logout URL and enter it into the Sign-out redirect URIs field.
In the Assignments section, select Skip group assignments for now.
Select Save.
On the General tab in Okta, scroll down to the General Setting section, and select Edit.
1. In the Login section, select Either Okta or App in the Login initiated by field.
2. Copy the Login URL from DigiCert into the Initiate login URI field.

Where do I find the values required by DigiCert in my IdP?

Select your IdP:

Example 5. Microsoft Entra ID

For complete setup instructions, see Create OIDC application in Entra.

After you create the OIDC app in Entra, these values will be available for you to copy.

If your OIDC app is already registered:

Sign in to the Microsoft Entra admin center.
In the left pane, navigate to Microsoft Entra ID > Manage > Enterprise applications.
Select your OIDC application for DigiCert account.
From the application overview, copy the Application (client) ID field and enter it in the following fields in DigiCert account:
1. Client ID
2. ID token audience
In the Client credentials field, select Add a certificate or secret.
1. On the Client secrets tab, select + New client secret.
2. In the Description field, enter a name.
3. In the Expires field, select a timeframe.
4. Select Add.
Copy the Value of the client secret you created and enter it into the Client secret field in DigiCert account.
In the application menu, select Overview > Endpoints.
1. Copy the OpenID Connect metadata document URL and enter it into the Provider URL in DigiCert account.
  Example: https://login.microsoftonline.com/a0b1c3-.../v2.0/.well-known/openid-configuration

Example 6. Okta

For complete setup instructions, see Create OIDC application in Okta.

After you create the OIDC app in Okta, these values will be available for you to copy.

If your OIDC app is already created:

Sign in to your Okta Admin dashboard.
Go to Applications > Applications.
Select your OIDC application for DigiCert account.
From the application overview, go to the General tab > Client credentials:
1. Copy the Client ID field and enter it in the following fields in DigiCert account:
  1. Client ID
  2. ID token audience
2. In the Client secrets section in Okta, copy the Client secret and enter it into the in the Client secret field in DigiCert.
To construct the Provider URL required in DigiCert account:
1. From left menu, select Security > API.
2. On the Authorization servers tab, copy the Issuer URL.
  Example: https://example.okta.com/oauth2/default
3. Replace /oauth2/default in the Issuer URL with /.well-known/openid-configuration
Enter the constructed URL in the Provider URL in DigiCert account.
Example: https://example.okta.com/.well-known/openid-configuration

How can I test that my OIDC app works?

Select your IdP:

Example 7. Microsoft Entra ID

For complete setup instructions, see Create OIDC application in Entra.

If your OIDC app is already created, attempt to sign in to DigiCert account, using your Entra credentials:

Sign in to DigiCert® account.
Provide your Entra username.
Select Sign in with your company's SSO.
Tip
When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.
- Your SAML app is configured correctly if:
  You use 2FA to access your IdP, and you're automatically signed in to your DigiCert account.
  You don't use 2FA to access your IdP, you're redirected to your DigiCert account and asked to finish two-factor authentication (2FA).
- If you aren't able to sign in with SSO, compare your app settings to these instructions or contact DigiCert Support for assistance.

Example 8. Okta

For complete setup instructions, see Create OIDC application in Okta.

If your OIDC app is already created, attempt to sign in to DigiCert account, using your Okta credentials:

Sign in to DigiCert® account.
Provide your Okta username.
Select Sign in with your company's SSO.
Tip
When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.
- Your SAML app is configured correctly if:
  You use 2FA to access your IdP, and you’re automatically signed into your DigiCert account.
  You don't use 2FA to access your IdP, you’re redirected to your DigiCert account and asked to finish two-factor authentication (2FA).
- If you aren’t able to sign in with SSO, compare your app settings to these instructions or contact DigiCert Support for assistance.

What's next

Finish any remaining steps in your IdP to finalize the connection to DigiCert ONE

DigiCert ONE sends existing users in your account the Single sign-on access to DigiCert email. The email lets them know you enabled SSO for their account.

Two-factor authentication (2FA) and SSO with OIDC

When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.

In this section:

Configure single sign-on with OIDC

Tip

Prerequisites

Tip

Configure OIDC in DigiCert ONE

Troubleshooting

Tip

How do I create an OIDC app for DigiCert in my IdP?

Where do I provide DigiCert URLs in my IdP?

Where do I find the values required by DigiCert in my IdP?

How can I test that my OIDC app works?

Tip

Tip

What's next

Two-factor authentication (2FA) and SSO with OIDC

Search results