Identity Provider

Connect an external OIDC-compliant identity provider (Auth0, Okta, Azure AD, or any custom provider) to automatically sync users to your platform. Users from your IdP are mapped 1:1 — no manual user management needed.

How It Works

When a user authenticates through your external IdP, Vidori automatically:

Creates a corresponding platform user (if new)
Maps the IdP identity 1:1 to the platform user
Keeps entitlements in sync on every login (when Auto Sync is enabled)

This replaces manual user creation and entitlement management via the Entitlements page.

Supported Providers

Any OIDC-compliant provider works with Vidori. Common examples:

Provider	Issuer URL format
Auth0	`https://YOUR_DOMAIN.auth0.com`
Okta	`https://YOUR_DOMAIN.okta.com`
Azure AD	`https://login.microsoftonline.com/TENANT_ID/v2.0`
Custom OIDC	Your provider’s issuer URL

Setup

Gather your OIDC credentials

From your identity provider’s admin console, collect:
- Issuer URL — the base URL of your OIDC provider
- Client ID — the OAuth2 client identifier
- Client Secret — the confidential client secret
Register the redirect URI

In your IdP’s application settings, add the following as an allowed callback/redirect URL:
```
https://YOUR_VIDORI_DOMAIN/auth/callback
```
The exact redirect URI is shown in the admin panel when configuring the provider.
Configure in Vidori

In the admin panel, go to Memberships → IdP:
- Enter a Provider Name (e.g., “Okta Production”)
- Enter the Issuer URL, Client ID, and Client Secret
- Adjust Scopes if needed (default: openid profile email)
- Click Save Configuration
Test the connection

Click Test Connection to verify your credentials and endpoint are valid.
Enable Auto Sync

Toggle Auto Sync on to enable automatic user syncing on every login.

Configuration Reference

Field	Description
Provider Name	A display name for this provider (e.g., “Okta Production”)
Issuer URL	The base URL of your OIDC provider
Client ID	The OAuth2 client identifier from your provider
Client Secret	The confidential client secret
Discovery URL	Auto-derived: `{Issuer URL}/.well-known/openid-configuration`
Redirect URI	Auto-derived: `{Your domain}/auth/callback` — add this to your provider’s allowed callbacks
Scopes	Space-separated OIDC scopes (default: `openid profile email`)
Auto Sync	When enabled, user entitlements are synced automatically on each login

Auto Sync

When Auto Sync is enabled:

Users who log in via the IdP are automatically created on the platform if they don’t exist
Existing users have their profile and entitlements updated on each login
No manual management is needed via the Entitlements page

When Auto Sync is disabled:

The provider configuration is preserved but no automatic syncing occurs
Users can still authenticate, but entitlements are not updated
Useful for temporarily pausing syncing without removing the configuration

Disconnecting a Provider

To remove the IdP integration, click Disconnect on the Identity Provider page. This:

Removes the provider configuration
Does not delete users that were already synced
Does not revoke existing entitlements

Users who were synced will remain on the platform and can be managed manually via the Entitlements page.

Troubleshooting

Issue	Solution
Connection test fails	Verify the Issuer URL is correct and the discovery endpoint is accessible. Check Client ID and Secret.
Users not syncing	Ensure Auto Sync is enabled and the provider shows “Connected” status.
Redirect errors	Confirm the Redirect URI shown in the admin panel is added to your provider’s allowed callback URLs.
Scope errors	Some providers require specific scopes. Check your provider’s documentation for required scopes.