SSO with a dedicated OIDC Client

Learn how to set up Single Sign-On (SSO) for findIQ through your Identity Provider using the OIDC protocol.

Written By Tommy Giesbrecht

Last updated 5 days ago

This article describes how to set up Single Sign-On (SSO) for findIQ through your Identity Provider (IdP) using a dedicated OIDC Client. After reading, you will know which configuration steps are required and what information to share with the findIQ team.

You can access this area with the Administrator role.

What is SSO via OIDC?

Term

Explanation

SSO (Single Sign-On)

An authentication method that allows users to sign in once and access multiple applications.

OIDC (OpenID Connect)

An authentication protocol based on OAuth 2.0. findIQ uses OIDC to authenticate users through an external Identity Provider.

Identity Provider (IdP)

A service that manages and verifies user identities — for example Microsoft Entra ID / Azure AD, Okta, Keycloak, Auth0, ADFS, or Google Workspace.

Claim Mapper

A configuration in the Identity Provider that adds custom fields (claims) to the Access Token. findIQ uses values in the roles claim to assign users to the correct organization and role.

Article goal: After reading this article, you will know how to create an OIDC client in your Identity Provider, configure the appropriate claim mapper, and activate the connection to findIQ.

How to set up SSO via OIDC

To set this up, you need administrator access to your Identity Provider and contact with the findIQ team.

1. Create an OIDC client in your Identity Provider

Create a new OIDC client in your Identity Provider with the following settings:

  • Enable Client Authentication (type: confidential)

  • Root URL (optional, depending on IdP): https://app.findiq.de

  • Redirect URL: https://app.findiq.de/auth/realms/api_main/broker/oidc/endpoint

2. Configure claim mapper

Create a new role for the token roles claim (sometimes called a “dedicated client role”)

  • Include the role name (token value): {organisation}/{role}

You can find your organization name inside the URL of the findIQ app. For example, a valid token value for the organization at https://app.findiq.de/app/MyCompany/machines can be MyCompany/Operator

Make sure the claim is included in the Access Token roles attribute.

Available roles

Role

Description

Operator

Can perform Troubleshooting and Routines

Editor

Can additionally edit content, such as the heatmap, Routines, and Templates

Administrator

Full access including user management and Settings

3. Send information to findIQ

Send the following information to the findIQ team:

  • The discovery endpoint of your Identity Provider (ends with /.well-known/openid-configuration)

  • The generated Client ID

  • The generated Client Secret

  • The type of client authentication used (default: "Client Secret send as POST")

4. Set IdP hint in the URL

To redirect users directly to your Identity Provider (bypassing the findIQ login page), append the kc_idp_hint query parameter to the URL:

https://app.findiq.de/standalone/{organisation}/{machine_uid}/diagnose/?kc_idp_hint={idp_alias}

You will receive the {idp_alias} value from the findIQ team after the configuration is complete.

Important Notes

  • The entire setup requires coordination with the findIQ team. Plan sufficient time for this.

  • Test the SSO login with a test user before enabling access for all users.

  • Make sure the roles claim is included in the Access Token.

FAQ