Guides

Authentication in Omnidocs Create

How authentication works in Omnidocs Create

Overview

Omnidocs Create uses OpenID Connect (OIDC) to authenticate users.
Authentication is configured per organisation, and each organisation can use its own identity provider, such as Microsoft Entra ID.

Main organization and user registration

The first organisation a user accesses in Create becomes their main organization. This is important because it determines how the user's identity is registered in the system.

When a user subsequently attempts to access a different organization, they have two options:

  • Log in to their main organization first, then switch to the target organization from there.
  • Append the main organisation's subdomain as an authDomain parameter in the browser URL before accessing the other organization. (E.g. secondOrg.omnidocs.cloud?authDomain=mainOrg)

This means that if a user first logs into a test environment, that test organization becomes their main organization. They will then encounter issues accessing the production organization unless one of the two approaches above is followed.

Recommendation: Test vs. Production Environments

When moving from a test environment to production, it is important to ensure users are correctly registered against the production organisation. The recommended approach is:

  1. Remove users from the test organization before go-live.
  2. Have users log in to the production organization first, so it is established as their main organization with the correct affiliation.

This avoids situations where users are anchored to a test organization and experience authentication issues when accessing production.

Configuring OIDC

When setting up authentication for an organization, operators must provide the following depending on the client type:

Public client (no client secret required):

  • OIDC Metadata / Discovery Endpoint
  • Client ID
  • Redirect URI: https://[HOST]/auth/callback

Confidential client (client secret required):

  • OIDC Metadata / Discovery Endpoint
  • Client ID
  • Client Secret
  • Redirect URI: https://[HOST]/auth/callback-web
❗️

Incorrect OIDC configuration can block user access for the entire organization. Always validate the configuration with the customer before rollout.

For Microsoft Entra ID specifically, refer to the SSO setup guide for Entra ID.

Updated about 2 hours ago