--- title: "Setting Up OpenID Connect (NavVis IVION Professional and Enterprise)" slug: "setting-up-openid-connect" description: "Seamlessly configure Single Sign-On (SSO) with OpenID Connect in NavVis IVION for enhanced security, simplified user management, and improved access." updated: 2025-11-17T10:35:39Z published: 2025-11-17T10:35:39Z canonical: "knowledge.navvis.com/setting-up-openid-connect" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.navvis.com/llms.txt > Use this file to discover all available pages before exploring further. # Setting Up OpenID Connect (NavVis IVION Professional and Enterprise) ## Introduction to SSO and OIDC With **NavVis IVION**, you can seamlessly configure **Single Sign-On (SSO)** using **OpenID Connect (OIDC)**, a widely adopted authentication protocol. **OIDC** enables users to sign in through their organization's **Identity Provider (IdP)**, ensuring secure and centralized authentication. Once authenticated by the **IdP**, users are automatically granted access to **NavVis IVION** with their assigned **roles and permissions**, eliminating the need for separate login credentials. This enhances security, simplifies user management, and improves the overall login experience. ### **Key benefits of SSO with OIDC in NavVis IVION:** - **Seamless access**: Users log in once and gain instant access without additional authentication. - **Enhanced security**: Authentication is managed by your **IdP**, reducing password-related risks. - **Simplified user management**: Admins can control access centrally via **user roles and group mappings**. - **Improved user experience**: No need to remember multiple credentials—just sign in through your existing **SSO provider**. ### **What is Single Sign-On (SSO)?** **Single Sign-On (SSO)** is an authentication mechanism that allows users to log in once and access multiple applications without re-entering credentials. It works by having a central **Identity Provider (IdP)** verify the user's credentials and issue a secure token, granting seamless access to connected services. SSO improves **security, efficiency, and user experience** by reducing password fatigue and enabling centralized access control. It is commonly implemented using protocols like **OpenID Connect (OIDC)** or **SAML** and is widely used in applications for streamlined authentication across services. ### **What is OpenID Connect (OIDC)?** **OpenID Connect (OIDC)** is a modern authentication protocol built on top of **OAuth 2.0** that enables secure, reliable, and seamless user authentication. It allows applications to verify user identities through a **Single Sign-On (SSO) provider**, such as **Okta, Microsoft Entra ID (formerly Azure AD), or Google Identity Platform**. In **NavVis IVION**, OpenID Connect simplifies **federated authentication**, allowing organizations to integrate their existing identity management systems. By delegating authentication to an **OIDC-compliant Identity Provider (IdP)** and leveraging **OAuth 2.0** for authorization, NavVis IVION supports **role-based access management** and ensures a **secure, scalable, and industry-standard approach** to user authentication while improving **user experience and administrative control**. ### **Setup Single Sign On using OpenID Connect** > **Note:**With a NavVis IVION Professional license, you are entitled to one SSO connection. Multiple SSO connections are available for NavVis IVION Enterprise licenses. Before getting started, you need to set up an identity provider of your choice. For guidance on configuring your chosen identity solution, refer to its official documentation. Once your identity provider is set up, follow these steps to integrate OpenID Connect with your preferred authorization provider. 1. Configure to use this client. - Go to your instance. - On your instance dashboard, go to **Instance Settings** > **OpenID Connect**. - Click **Add new connection**. - In the dialog that opens, enter the required information. - The **Issuer URL**is the URL for your realm in your IDP. - You can get the **Client Secret** from the **Credentials** tab from your IDP client page. - The **Redirect URIs** is usually your **NavVis IVION URL**. > **Note:**Some authorization providers require a complete redirect URI, e.g.[instanceURL]/oauth2/callback/[registrationId] - NavVis IVION always requests three scopes from the authorization provider: openid, profile, and email. Additional scopes can be configured under **Additional authorization scopes**. - If you want users to be deleted from when they are deleted from the identity provider, enable the toggle button. - If you want to map external user groups to NavVis IVION, enable the toggle button. > **Note:** If you want to use Open ID Connect with NavVis IVION Go refer [here](https://knowledge.navvis.com/docs/how-to-login-using-oidc). ![OpenID](https://cdn.document360.io/bf174766-fa1a-4fe1-a4d7-b1db1e7cb996/Images/Documentation/OpenID.png) 2. Click **Add connection.** 3. Use the toggle button to enable the connection. Your organization is now set up to authenticate users through Single Sign-On via OpenID Connect. When users log into NavVis IVION using the "Continue sign in with …" option, they will be automatically added to User Management. In order to setup automatic User Group Mapping [follow the instructions below](https://knowledge.navvis.com/docs/setting-up-openid-connect#mapping-external-user-groups-to-navvis-ivion-enterprise-only-%E2%80%8B). ## Mapping External User Groups ​ If user groups have been created in NavVis IVION, the administrator can map these groups from an external IDP. Once mapped, users that are part of a mapped group will be automatically added to this group when they log in. 1. Go to **Instance Settings** > **OpenID Connect**. 2. Set up a [new OpenID connection](/v1/docs/setting-up-openid-connect) or open an existing connection by clicking the pencil icon. 3. Use the **Map user groups from access token** toggle button to enable the mapping of external user groups. 4. Enter the required information under **Group array JWT claim**. ![](https://cdn.document360.io/bf174766-fa1a-4fe1-a4d7-b1db1e7cb996/Images/Documentation/OpenID2.png) 5. If you want all users to be automatically added to the Everyone group, enable the toggle button. 6. Click **Save**. Changes made to group memberships in an external authorization system will now be automatically updated in NavVis IVION. > [!NOTE] > **Note**: When dot notation is not sufficient to express the custom group claim, use [JSON path bracket notation](https://support.smartbear.com/alertsite/docs/monitors/api/endpoint/jsonpath.html) instead. --- ### FAQ #### What is Single Sign-On (SSO)? Single Sign-On (SSO) is an authentication mechanism that allows users to log in once and access multiple applications without re-entering credentials. #### How does OpenID Connect (OIDC) work? OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that enables secure user authentication through a Single Sign-On provider. #### What are the benefits of using SSO with OIDC in NavVis IVION? The benefits include seamless access, enhanced security, simplified user management, and improved user experience. #### Can I set up multiple SSO connections with a NavVis IVION Professional license? No, a NavVis IVION Professional license allows for only one SSO connection. #### Is it possible to map external user groups to NavVis IVION? Yes, if you have a NavVis IVION Enterprise license, you can map external user groups to NavVis IVION. #### What is required to set up SSO for NavVis IVION? You need to set up an identity provider of your choice and follow the integration steps for OpenID Connect. #### Do users need to remember multiple credentials when using SSO? No, users only need to sign in through their existing SSO provider, eliminating the need for multiple credentials. #### What happens when a user is deleted from the identity provider? If enabled, users will also be deleted from NavVis IVION when they are deleted from the identity provider.