Skip to content

OpenID Connect integration🔗

AQtive Guard can use an SSO service by interacting with an identity provider using the OpenID Connect protocol.



  • A running identity provider.
  • Access to AQtive Guard server configuration.

Identity server setup🔗

You’ll need to confirm the following in your identity server configuration:

  • OpenID Connect Discovery is enabled.
  • Use of the Authorization Code Flow is allowed.
  • A client name and a client secret are created for AQtive Guard.

AQtive Guard setup🔗

The OpenID Connect integration for AQtive Guard is configured by setting specific environment variables. You can do this by editing the .env file located at the root of your on-premises AQtive Guard installation.

You need to set the following variables:

  • OIDC_DISCOVERY_URL: Discovery URL for automatic OpenID endpoint configuration. It typically looks like
  • OIDC_CLIENT_NAME: Name assigned to AQtive Guard (i.e. the client) during your identity server configuration.
  • OIDC_SECRET: Secret password linked to the mentioned client.
  • OIDC_DEFAULT_ORG_ID: ID of the default organization for a user identified by the SSO.

Below are optional variables you can also set:

  • OIDC_BUTTON_LABEL: Text displayed on the SSO login button.
  • OIDC_USE_PING_FEDERATE: Set to true if your identity provider is PingFederate.
  • OIDC_RESOURCE: Optional parameter indicating the role claim(s) to include in the Access Token upon successful user authentication. Set this if it’s required by your identity provider.
  • OIDC_EXTRA_SCOPES: List of additional scopes to request, space-separated, alongside openid.
  • OIDC_SERVER_CERT: Path to the SSL CA bundle (a file or directory) used to verify OpenID Servers (such as /etc/web/cert.pem). If unset or the path is invalid, it defaults to the SSL certificate the underlying OS uses.


After configuring AQtive Guard to use OpenID Connect, you’ll notice a new Log in with OpenID button on the login page.

Selecting this button redirects you to a login page that’s managed by your identity provider. Once your credentials are validated, you’ll be redirected back to AQtive Guard.