Use JumpCloud OpenID Connect (OIDC) Single Sign On (SSO) to give your users secure and convenient access to their OIDC-capable web applications with a single set of credentials. You can use the Custom OIDC App connector with any application that supports OIDC-based SSO. 

Preconfigured OIDC applications are not currently available in the JumpCloud catalog. For now, you must use the Custom OIDC App to configure OIDC applications. You need in-depth knowledge of the Relying Party’s (RP) OIDC capabilities and requirements to use the OIDC connector. 


  • The RP application must support a grant type of authorization code.
  • You must know the Redirect URI for the application you want to configure with OIDC.
  • You must know the Login URL that the RP uses to start the login flow.
  • Determine if the app you are configuring can protect a client secret or if it uses a public client.
  • Determine any needed claims/attributes that the relying parting wants.

Configure the OIDC Connector for SSO

To find and configure the connector in JumpCloud

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Click + Add New Application. There are two options:
    • Type OIDC in the Search field and select it from the dropdown.
      • Click Next.
    • Select Custom Application.
      • Click Next.
      • Select Manage Single Sign-On and then Configure SSO with OIDC
      • Click Next.
  1. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

  • If using the Custom Application workflow, the default color indicator will be displayed in the Admin Portal.
    • This can be changed by selecting Logo under Display Option in the General Info tab of the application configuration.
  • If using the OIDC template from the dropdown, the default Custom OIDC App logo will be displayed in the Admin Portal.
  1. Click Next and then Configure Application.
  2. In the SSO tab, the following window will appear.
  1. In Endpoint Configuration:
    1. Grant Types:
      • Authorization Code is checked by default and cannot be deselected.
      • Refresh Token can be checked at a later time if you wish to refresh your connector’s token.
    2. Enter one or multiple Redirect URIs with the value(s) supplied by the RP.
    3. Select the appropriate Client Authentication Type:
      • Client Secret POST
      • Client Secret Basic
      • Public (None PKCE)


The client authentication type will depend on what is supported by the RP.

  1. Enter the Login URL with the value supplied by the RP.
  2. In Attribute Mapping (optional):
    • Add a Standard Scope by selecting Email or Profile.
    • Add User and Constant attributes by clicking Add Attribute.
    • Select include group attribute for claims/attributes that are required for your individual OIDC SSO needs. For more information about claims, see OIDC Attributes (Claims).


If the RP supports it, you can add more than what is required. 

  1. Under User ConsentAutomatically consent is selected by default and cannot be deselected.
  2. Click activate.
  3. If the client is not a public client, then a window will display the client secret.


The client secret will only be displayed once. Copy and store the Client ID and Client Secret in a safe location, like a password manager.

  1. Click Got It.


You can regenerate your client secret at any time.

To configure the RP

  1. Enter the following information to the RP:
    • The application’s OIDC client ID.
    • If the client is not public, the application’s OIDC client secret.
    • JumpCloud’s OIDC well-known config:

JumpCloud Well-Known OpenID Configuration


JumpCloud OpenID Auth Endpoint


JumpCloud OpenID Issuer Endpoint


JumpCloud OpenID Token Endpoint


JumpCloud OpenID User Info Endpoint

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case