Configure single sign-on with OIDC

Follow these steps to enable single sign-on (SSO) with OpenID Connect (OIDC) in your DigiCert® account account. If another sign in method is also enabled, users can select which method to use.

Prerequisites

Before configuring OIDC in DigiCert® account:

Have administrator access to your company's identity provider (IDP) service, such as PingOne and Okta.
Register DigiCert® account as an OIDC application with your identity provider (IDP).
Configure your IDP to send a preferred_username claim in the ID token.

Tip

To learn how to register applications for OIDC and configure claims, refer to the documentation for your IDP.

Set up SSO with OIDC

In DigiCert® account, select the Accounts icon > sign in methods.
Select Single-Sign-On with OIDC.
The Connect DigiCert to your IdP section, provides you with details you need to provide to your IdP when creating the DigiCert® account application:
1. Redirect URI
  When users sign in to an OIDC-enabled account, your OIDC service generates an authentication response and token ID. The OIDC service sends this authentication information back to DigiCert® account using this URL.
2. Login URL
  DigiCert-provided URL that users can access to sign in to DigiCert® account using OIDC-based SSO.
3. Logout URL
  Your OIDC provider uses the logout endpoint to sign the user out of any applications they’ve logged into via the provider.
  Tip
  Where do I provide these URLs in my IdP?
After creating your application in your IdP, provide these details in the Connect your IdP to DigiCert section:
1. Provider URL
  The URL of your IdP's OIDC discovery endpoint, used by DigiCert to retrieve metadata for authentication. It often follows the format: https://<your-idp-domain>/.well-known/openid-configuration.
2. Client ID
  ID from your IdP that DigiCert® account can use to identify itself in requests to your OIDC service.
3. Client secret
  Password from your IdP that DigiCert® account can use to authenticate requests to your OIDC service.
4. ID token audience
  Intended recipient of ID tokens your OIDC service generates. Must match the ID token audience configured in your IdP.
  Tip
  Where can I find these values in my IdP?
When both steps are finished, In the Enable/Disable SSO with OIDC section, switch the button to enable SSO with SAML.
Select Save configuration.

Troubleshooting

To configure SSO with OIDC, you need to create an OIDC application for DigiCert® account in your IdP. During the process of creating this application, you need to provide DigiCert URLs. When the application is created, you need to provide to DigiCert® account with specific values from the OIDC application you created.

Tip

To perform this action, you must be an admin in your IdP.

How do I create an OIDC app for DigiCert in my IdP?

Select your IdP:

Where do I provide DigiCert URLs in my IdP?

Select your IdP:

Example 3. Microsoft Entra ID

For complete setup instructions, see Create OIDC application in Entra.

Entra requires these DigiCert URLs after you’ve created the OIDC application.

If your OIDC app is already registered:

Sign in to the Microsoft Entra admin center.
In the left pane, navigate to Microsoft Entra ID > Manage > Enterprise applications.
Select your OIDC application for DigiCert account.
From the application's overview, in the Redirect URIs field, select Add a Redirect URI.
1. In the Platform configurations section, select + Add a platform.
2. Select Web.
3. In the Configure Web page:
4. Enter the Redirect URI from DigiCert account into the Redirect URIs field.
5. Enter the Logout URL from DigiCert account into the Front-channel logout URL field.
6. Select Configure.
On the Platform configurations page, in the Web Redirect URIs section, select Add URI.
1. Enter the Login URL from DigiCert account.
2. Select Save.

Example 4. Okta

For complete setup instructions, see Create OIDC application in Okta.

Okta requires these DigiCert URLs while creating the OIDC app.

To create an OIDC app in Okta:

Sign in to your Okta Admin Console.
Go to Applications > Applications.
Select Create App integration:
Select OIDC - OpenID Connect as the Sign-in method.
Select Web application as the Application type.
Select Next.
Enter DigiCert® account as the App integration name.
Copy the following values from DigiCert and provide it in Okta:
1. Copy the Redirect URI and enter it into the Sign-in redirect URIs field in Okta
2. Copy the Logout URL and enter it into the Sign-out redirect URIs field.
In the Assignments section, select Skip group assignments for now.
Select Save.
On the General tab in Okta, scroll down to the General Setting section, and select Edit.
1. In the Login section, select Either Okta or App in the Login initiated by field.
2. Copy the Login URL from DigiCert into the Initiate login URI field.

Where do I find the values required by DigiCert in my IdP?

Select your IdP:

Example 5. Microsoft Entra ID

For complete setup instructions, see Create OIDC application in Entra.

After you create the OIDC app in Entra, these values will be available for you to copy.

If your OIDC app is already registered:

Sign in to the Microsoft Entra admin center.
In the left pane, navigate to Microsoft Entra ID > Manage > Enterprise applications.
Select your OIDC application for DigiCert account.
From the application overview, copy the Application (client) ID field and enter it in the following fields in DigiCert account:
1. Client ID
2. ID token audience
In the Client credentials field, select Add a certificate or secret.
1. On the Client secrets tab, select + New client secret.
2. In the Description field, enter a name.
3. In the Expires field, select a timeframe.
4. Select Add.
Copy the Value of the client secret you created and enter it into the Client secret field in DigiCert account.
In the application menu, select Overview > Endpoints.
1. Copy the OpenID Connect metadata document URL and enter it into the Provider URL in DigiCert account.
  Example: https://login.microsoftonline.com/a0b1c3-.../v2.0/.well-known/openid-configuration

Example 6. Okta

For complete setup instructions, see Create OIDC application in Okta.

After you create the OIDC app in Okta, these values will be available for you to copy.

If your OIDC app is already created:

Sign in to your Okta Admin dashboard.
Go to Applications > Applications.
Select your OIDC application for DigiCert account.
From the application overview, go to the General tab > Client credentials:
1. Copy the Client ID field and enter it in the following fields in DigiCert account:
  1. Client ID
  2. ID token audience
2. In the Client secrets section in Okta, copy the Client secret and enter it into the in the Client secret field in DigiCert.
To construct the Provider URL required in DigiCert account:
1. From left menu, select Security > API.
2. On the Authorization servers tab, copy the Issuer URL.
  Example: https://example.okta.com/oauth2/default
3. Replace /oauth2/default in the Issuer URL with /.well-known/openid-configuration
Enter the constructed URL in the Provider URL in DigiCert account.
Example: https://example.okta.com/.well-known/openid-configuration

How can I test that my OIDC app works?

Select your IdP:

Example 7. Microsoft Entra ID

For complete setup instructions, see Create OIDC application in Entra.

If your OIDC app is already created, attempt to sign in to DigiCert account, using your Entra credentials:

Sign in to DigiCert® account.
Provide your Entra username.
Select Sign in with your company's SSO.
Tip
When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.
- Your SAML app is configured correctly if:
  You use 2FA to access your IdP, and you're automatically signed in to your DigiCert account.
  You don't use 2FA to access your IdP, you're redirected to your DigiCert account and asked to finish two-factor authentication (2FA).
- If you aren't able to sign in with SSO, compare your app settings to these instructions or contact DigiCert Support for assistance.

Example 8. Okta

For complete setup instructions, see Create OIDC application in Okta.

If your OIDC app is already created, attempt to sign in to DigiCert account, using your Okta credentials:

Sign in to DigiCert® account.
Provide your Okta username.
Select Sign in with your company's SSO.
Tip
When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.
- Your SAML app is configured correctly if:
  You use 2FA to access your IdP, and you’re automatically signed into your DigiCert account.
  You don't use 2FA to access your IdP, you’re redirected to your DigiCert account and asked to finish two-factor authentication (2FA).
- If you aren’t able to sign in with SSO, compare your app settings to these instructions or contact DigiCert Support for assistance.

Two-factor authentication (2FA) and SSO with OIDC

When 2FA is enabled, DigiCert skips the OTP prompt if you have already provided an OTP to your IdP.

In this section:

Configure single sign-on with OIDC

Tip

Prerequisites

Tip

Set up SSO with OIDC

Tip

Tip

Troubleshooting

Tip

How do I create an OIDC app for DigiCert in my IdP?

Where do I provide DigiCert URLs in my IdP?

Where do I find the values required by DigiCert in my IdP?

How can I test that my OIDC app works?

Tip

Tip

Two-factor authentication (2FA) and SSO with OIDC

Search results