OIDC SSO
OIDC SSO lets your users sign in to a RUN application through any OpenID Connect-compatible identity provider. You can configure it in RUN Settings > Integrations > SSO OIDC.
Supported providers
You can use any OpenID Connect-compatible provider, including Auth0, Okta, AWS Cognito, Microsoft Azure AD, and Google Workspace.
Setup process
The configuration steps vary depending on your identity provider, but the overall process is similar. For a step-by-step walkthrough using Auth0, see the Auth0 OIDC SSO setup guide on the TagoIO Community. If you are using a different provider, the Auth0 guide is still a useful reference since the steps are often comparable.
Setting up OIDC SSO involves four steps:
- Configure an OIDC application on your Identity Provider. Create an OAuth 2.0 / OpenID Connect application in your IdP and obtain the Issuer URL, Client ID, and Client Secret.
- Manage users and permissions on the IdP side. Set up which users and groups have access to your RUN application.
- Import the IdP configuration into RUN. Fill in the Provider Settings form and configure the Claim Mappings (see sections below).
- Register the Callback and Logout Redirect URLs. Copy the auto-generated URLs from RUN and add them to your IdP's allowed callback and redirect settings.
Configuration fields
When you open the SSO OIDC settings in RUN, you will see the following fields:
| Field | Description |
|---|---|
| Issuer URL | The OpenID Connect discovery URL from your IdP (e.g., https://dev-xxx.us.auth0.com). Where you find this varies by provider. In Auth0 it is under Application Settings; in Okta it is in the Authorization Server metadata. |
| Client ID | The application identifier from your IdP. |
| Client Secret | The secret key from your IdP. RUN stores this value encrypted. |
| Scopes | The OpenID Connect scopes to request. Default: openid profile email. |
| Callback URLs | Auto-generated by RUN. Copy these and register them in your IdP as allowed callback URLs. |
| Logout Redirect URLs | Auto-generated by RUN. Copy these and register them in your IdP as allowed logout redirect URLs. |
Claim mappings
RUN maps attributes from your identity provider to RUN user fields. Two mappings are required:
- E-mail (required)
- First Name (required)
- Last Name
Most providers send these by default with the openid profile email scopes. If your IdP uses non-standard claim names, you can adjust the mapping for each field.
To map additional IdP claims, click Edit other claim mappings. Custom claim values are stored as tags on the RUN user, which you can then use for access management and other features within your application.
Passing query parameters to your IdP
Some identity providers support additional features through query parameters, such as invite links or custom login hints. RUN forwards any query parameters from your application URL to the IdP during the authentication flow.
For example, if your provider supports invite codes, you can share a link like:
https://myapp.tago.run/login?invite=INVITECODE
RUN will pass the invite parameter along to the IdP. Check your provider's documentation for the specific query parameters it supports.
Enable or disable OIDC SSO
Use the Enabled toggle at the top of the SSO OIDC settings page to activate or deactivate OIDC SSO. Click Save to apply your changes.