Skip to main content

Configure SSO with OIDC

OpenID Connect (OIDC) is a simple identity layer built on top of the OAuth 2.0 protocol. It allows your application to verify user identities based on the authentication performed by an authorization server. This guide will walk you through setting up SSO with OIDC in the Basis Theory Customer Portal.

If you encounter any issues during the SSO configuration process, contact support@basistheory.com.

Configuring the OIDC Application

When configuring SSO with Basis Theory, you can choose between two main OAuth 2.0 flows depending on your application's requirements and security considerations: Implicit Authorization and Authorization Code.

Using Authorization Code (Back Channel)

The Authorization Code flow is more secure and involves an additional step of exchanging an authorization code for an access token.

The steps to configure your application for the authorization code flow vary by provider. Refer to your provider's documentation for specific instructions.

When prompted, set the following values in your application:

  • Callback/Login URL: https://auth.basistheory.com/login/callback

After creating your application, ensure it can provide the following:

  • Discovery URL: The OIDC discovery URL for your provider.
  • Client ID: The client ID of the OIDC application.
  • Client Secret: The client secret of the OIDC application.
The Client Secret is sensitive information and should be kept secure.

Using Implicit Authorization (Front Channel)

The Implicit flow is typically used by client-side applications where the access token is returned immediately without an authorization code exchange step. This method is less secure than the Authorization Code flow and is generally recommended for applications that cannot securely store the client secret, which is not the case for Basis Theory.

The steps to configure your application for implicit authorization vary by provider. Refer to your provider's documentation for specific instructions.

When prompted, set the following values in your application:

  • Callback/Login URL: https://auth.basistheory.com/login/callback

After creating your application, ensure it can provide the following:

  • Discovery URL: The OIDC discovery URL for your provider.
  • Client ID: The client ID of the OIDC application.

Configuring SSO in the Basis Theory Customer Portal

After configuring your identity provider, you will need to configure the SSO settings in the Basis Theory Customer Portal. Follow these steps:

  1. Log in to the Basis Theory Customer Portal.
  2. Navigate to the Settings section.
  3. Click on the Identity tab.
  4. Click the Create Connection button.
  5. Select OpenID Connect (OIDC).
  6. Complete the required fields:
    • Discovery URL: The OIDC discovery URL for your provider.
    • Connection Type: Choose Back Channel for Authorization Code or Front Channel for Implicit.
    • Client ID: The client ID of the OIDC application.
    • Client Secret: The client secret of the OIDC application. (Required only for Back Channel)
  7. Click the Create Connection button.

That's it! You have successfully configured SSO with your OIDC application.

Using the SSO Connection

To use the SSO connection, follow these steps:

  1. Go to the Basis Theory Customer Portal.
  2. On the login page, click the SSO button.
  3. Enter your company email and click Continue.
  4. You will be redirected to your provider's login page, where you will need to enter your credentials.

Afterward, you will be redirected back to the Basis Theory Customer Portal, where you will be logged in.

On your first SSO login, a new account will be created. Any accounts previously created with other authentication methods will not be linked to your SSO account. If you wish to add the SSO account as a tenant member instead of a previously created account, you will need to re-invite the SSO account and use the SSO login method when accepting the invite.