> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devinenterprise.com/llms.txt
> Use this file to discover all available pages before exploring further.
# OIDC SSO Setup
> Configure Single Sign-On with a Generic OpenID Connect Identity Provider
If your organization uses an OpenID Connect (OIDC) identity provider other than Azure AD or Okta (e.g., Ping Identity, OneLogin, Keycloak, Auth0, or another OIDC-compliant IdP), you can configure SSO for Devin Enterprise using a generic OIDC connection.
This guide is for customers whose identity provider is **not** natively supported by the [Azure AD (OIDC)](/enterprise/security-access/sso/azure) or [Okta (OIDC)](/enterprise/security-access/sso/okta) integrations. If your IdP is Azure AD or Okta, we recommend using the native integration instead, as it provides a more streamlined setup experience.
## What You'll Need
The following information is required to set up OIDC SSO for Devin. You will collect these during the setup steps below and send them to your Cognition account team in the final step.
* **Discovery URL** - Your IdP's OIDC Discovery endpoint (e.g., `https://idp.example.com/.well-known/openid-configuration`)
* **Client ID** - The application Client ID from your IdP
* **Client Secret** - The application Client Secret from your IdP
* **Identity Provider Domains** - All company email domains that will authenticate through this IdP (e.g., `example.com`, `subsidiary.example.com`)
* **Scopes** - The OIDC scopes to request (typically `openid profile email`; add `groups` if using IdP groups)
## Setup Instructions
### Step 1: Register an Application in Your IdP
In your identity provider's admin console, create a new OIDC / OAuth 2.0 application (sometimes called a "Web Application" or "Confidential Client") with the following settings:
| Setting | Value |
| :-------------------------------------- | :------------------------------------- |
| **Application Type** | Web Application / Confidential Client |
| **Sign-in Redirect URI (Callback URL)** | `https://auth.devin.ai/login/callback` |
| **Sign-out Redirect URI** | Leave empty |
| **Grant Type** | Authorization Code |
| **Token Endpoint Authentication** | Client Secret (POST) |
After creating the application, note the **Client ID** and **Client Secret** provided by your IdP.
### Step 2: Locate Your Discovery URL
Most OIDC-compliant identity providers publish an OpenID Connect Discovery document. This URL allows Devin to automatically retrieve your IdP's authorization, token, and userinfo endpoints.
The Discovery URL typically follows this pattern:
```
https:///.well-known/openid-configuration
```
Common Discovery URL formats by provider:
* **Keycloak**: `https:///realms//.well-known/openid-configuration`
* **Ping Identity**: `https:////as/.well-known/openid-configuration`
* **OneLogin**: `https://.onelogin.com/oidc/2/.well-known/openid-configuration`
* **Auth0**: `https:///.well-known/openid-configuration`
* **Google Workspace**: `https://accounts.google.com/.well-known/openid-configuration`
You can verify the URL by opening it in a browser — it should return a JSON document containing fields like `authorization_endpoint`, `token_endpoint`, and `issuer`.
### Step 3: Configure Scopes
OIDC scopes control what user information Devin receives during authentication. At minimum, request the following scopes:
| Scope | Purpose | Required |
| :-------- | :---------------------------------------------------- | :----------------------- |
| `openid` | Required for all OIDC flows | Yes |
| `profile` | Returns the user's display name | Yes |
| `email` | Returns the user's email address | Yes |
| `groups` | Returns the user's group memberships (for IdP groups) | Only if using IdP groups |
Your scopes string should be: `openid profile email` (or `openid profile email groups` if using IdP groups).
Some IdPs use a different scope name for group claims (e.g., `roles` or a custom scope). Check your IdP's documentation for the correct scope name that returns group membership information.
### Step 4: Configure Group Claims (Required for IdP Groups)
If you want to use [IdP Group Integration](/enterprise/security-access/idp-groups) for role-based access control in Devin, you **must** configure your IdP to include group membership in the ID token or userinfo response. Without this, users will authenticate successfully but IdP groups will not be synced.
To enable IdP group syncing:
1. In your IdP, ensure the `groups` scope is available for the application
2. Configure your IdP to include a `groups` claim in the ID token or userinfo response
If your IdP does not include group claims by default, you may need to create a custom scope or configure a claims mapping policy. Consult your IdP's documentation for instructions on adding group claims to OIDC tokens.
### Step 5: Send Configuration to Cognition
Send the following to your Cognition account team:
1. **Discovery URL** (e.g., `https://idp.example.com/.well-known/openid-configuration`)
2. **Client ID**
3. **Client Secret**
4. **Identity Provider Domains** (all email domains for this IdP)
5. **Scopes** (e.g., `openid profile email groups`)
Your Cognition account team will configure the OIDC connection so that IdP groups sync automatically on each user login.
## Verifying Your Setup
After your Cognition account team confirms the configuration is complete:
1. Navigate to your Devin Enterprise URL (e.g., `https://.devinenterprise.com`)
2. Click **Sign in with OIDC** (or the equivalent SSO button) to initiate the login flow
3. You should be redirected to your IdP's login page
4. After authenticating, you should land in your Devin Enterprise organization
To verify IdP groups are working:
1. Go to **Settings** > **IdP Groups** in the Devin webapp
2. You should see your IdP groups listed after at least one group member has logged in
3. Groups are synced on each login, so any membership changes in your IdP will take effect the next time a user signs in
IdP groups are fetched upon user login, so changes in group membership will require reauthentication. See [IdP Group Integration](/enterprise/security-access/idp-groups) for more details on configuring group-based access control.