Enterprise SSO (OIDC)
Connect PixoMonitor to your organization's identity provider using OpenID Connect (OIDC) for seamless single sign-on.
What is OIDC SSO?
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows PixoMonitor to authenticate users through your organization's existing identity provider (IdP). This means your team can sign in to PixoMonitor using the same credentials they use for other enterprise applications.
Benefits
- Single sign-on — One set of credentials for all your applications
- Centralized user management — Manage access from your identity provider
- Enhanced security — Leverage your organization's security policies
- Automatic provisioning — New users can be created automatically on first sign-in
- Domain restrictions — Limit access to specific email domains
Supported Identity Providers
PixoMonitor supports any OIDC-compliant identity provider, including:
- Okta
- Azure Active Directory (Entra ID)
- Google Workspace
- Auth0
- OneLogin
- Keycloak
- PingIdentity
- JumpCloud
If your identity provider supports OIDC, it will work with PixoMonitor. Contact your IT administrator if you're unsure about compatibility.
For Administrators: Configuring SSO
Prerequisites
Before configuring SSO, you'll need:
- Administrator access to PixoMonitor
- Administrator access to your identity provider
- The following information from your IdP:
- Issuer URL (discovery endpoint)
- Client ID
- Client Secret
Create an OIDC Application in Your IdP
In your identity provider's admin console, create a new OIDC/OAuth application:
- Application type: Web application
- Sign-in redirect URI:
https://pixomonitor.com/api/auth/sso/{sso-id}/callback - Sign-out redirect URI:
https://pixomonitor.com/login - Scopes required:
openid,profile,email
Note the Client ID and Client Secret provided by your IdP.
Find Your Issuer URL
Locate your IdP's OIDC issuer URL. Common formats:
- Okta:
https://your-domain.okta.com - Azure AD:
https://login.microsoftonline.com/{tenant-id}/v2.0 - Google:
https://accounts.google.com - Auth0:
https://your-domain.auth0.com - Keycloak:
https://your-server/realms/{realm-name}
Configure SSO in PixoMonitor
Navigate to Admin Panel → SSO Configurations and click Add SSO Provider:
- Name: A friendly name (e.g., "Company Okta")
- Provider Type: OIDC
- Issuer URL: Your IdP's issuer URL
- Client ID: From your IdP application
- Client Secret: From your IdP application
- Scopes:
openid profile email(default)
Configure Optional Settings
Customize the SSO behavior:
- Auto Provision: Automatically create accounts for new users (recommended)
- Enforce SSO: Require users to sign in via SSO only (disable password login)
- Allowed Domains: Restrict to specific email domains (e.g.,
company.com) - Active: Enable or disable this SSO configuration
Test the Configuration
Click Test Configuration to verify OIDC discovery works. PixoMonitor will attempt to fetch your IdP's configuration and display the detected endpoints.
Configuration Options Explained
| Option | Description | Default |
|---|---|---|
| Name | Display name shown on the login page | Required |
| Issuer URL | Your IdP's OIDC discovery URL | Required |
| Client ID | OAuth client identifier | Required |
| Client Secret | OAuth client secret | Required |
| Redirect URI | Custom callback URL (optional) | Auto-generated |
| Scopes | OIDC scopes to request | openid profile email |
| Auto Provision | Create new user accounts automatically | true |
| Enforce SSO | Disable password login for SSO users | false |
| Allowed Domains | Email domains permitted to sign in | All domains |
| Active | Whether this SSO provider is enabled | true |
When Enforce SSO is enabled, users linked to this SSO provider will not be able to sign in with their email and password—they must use SSO. Use this for enhanced security control.
For Users: Signing In with SSO
Go to the Login Page
Navigate to the PixoMonitor login page.
Select Your SSO Provider
Look for the SSO sign-in options below the standard login form. Click the button for your organization's identity provider.
Authenticate with Your IdP
You'll be redirected to your organization's login page. Enter your corporate credentials as you would for any other work application.
Return to PixoMonitor
After successful authentication, you'll be redirected back to PixoMonitor and automatically signed in.
First-Time SSO Users
When you sign in with SSO for the first time:
- If auto-provisioning is enabled, a new account is created automatically
- Your name and email are imported from your identity provider
- Your email is pre-verified (no verification email required)
- You're immediately granted access to PixoMonitor
If auto-provisioning is disabled and you don't have an existing account, you'll see an error message. Contact your administrator to have an account created.
Existing Account Linking
If you already have a PixoMonitor account with the same email address:
- Your account will be automatically linked to the SSO provider
- You can continue to use either SSO or email/password to sign in (unless Enforce SSO is enabled)
- All your existing data remains intact
Security Features
State and Nonce Verification
PixoMonitor uses cryptographically signed state and nonce parameters to prevent:
- Cross-site request forgery (CSRF) attacks
- Replay attacks
- Authorization code injection
Domain Restrictions
Administrators can limit SSO access to specific email domains. For example, setting allowed domains to company.com means only users with @company.com email addresses can sign in.
Automatic Session Management
- Sessions use secure JWT tokens
- Access tokens expire after 15 minutes
- Refresh tokens are valid for 7 days
- Signing out invalidates all active sessions
For maximum security, combine SSO with Enforce SSO enabled and Allowed Domains configured. This ensures only your organization's members can access PixoMonitor through your controlled identity provider.
Troubleshooting
"OIDC discovery failed"
- Verify the issuer URL is correct and accessible
- Ensure your IdP's
.well-known/openid-configurationendpoint is reachable - Check if your IdP requires specific network access
"Email domain not allowed"
Your email domain isn't in the allowed domains list. Contact your PixoMonitor administrator to add your domain.
"User not found and auto-provisioning is disabled"
Your administrator has disabled automatic account creation. Ask them to either:
- Create an account for you manually
- Enable auto-provisioning for the SSO configuration
"Please use SSO to sign in"
Your account is linked to an SSO provider with Enforce SSO enabled. You must sign in through your organization's identity provider—password login is disabled.
Multiple SSO Providers
PixoMonitor supports multiple SSO configurations simultaneously. This is useful for:
- Organizations with multiple identity providers
- Supporting different departments or subsidiaries
- Gradual migration between identity providers
Each SSO provider appears as a separate option on the login page.