SSO / OIDC setup reference

Technical reference for configuring Microsoft Entra ID, Salesforce Marketing Cloud, and custom OIDC providers with OmniLab.

This guide is the technical companion to the SSO configuration admin article. Use it when your IT team or identity provider administrator is setting up the application registration and gathering the details needed by OmniLab.

SSO is enabled by your Customer Success Manager

Customers do not self-configure SSO. Your Customer Success Manager will provide the exact OmniLab callback URL to register in your provider and enable the provider for your environment once you share the details below.

How OmniLab authenticates users

OmniLab uses the OAuth 2.0 Authorization Code flow with OpenID Connect (OIDC) for sign-in. The standard scopes requested are openid, email, and profile. For Salesforce Marketing Cloud, provider-specific OAuth endpoints are used instead.

The high-level flow:

  1. User clicks the provider button on the OmniLab sign-in page.
  2. OmniLab redirects to the provider's authorization endpoint.
  3. The provider authenticates the user and redirects back to OmniLab's callback URL.
  4. OmniLab exchanges the authorization code for tokens at the token endpoint.
  5. OmniLab reads the user's identity from the user info endpoint.
  6. If the user exists in OmniLab and is assigned to an organisation, sign-in completes.

Microsoft Entra ID

Application registration steps

  1. In the Azure portal, register a new application under App registrations.
  2. Under Authentication, add a Redirect URI (platform: Web) with the exact OmniLab callback URL provided by your Customer Success Manager.
  3. Under Certificates & secrets, create a new Client secret and note the value immediately (it is shown only once).
  4. From the Overview tab, note the Application (client) ID and Directory (tenant) ID.

Details to share with OmniLab

FieldWhere to find itNotes
Application (client) IDAzure portal — App registrations — OverviewIdentifies your Entra app
Directory (tenant) IDAzure portal — App registrations — OverviewScopes the sign-in to your Microsoft tenant
Client secret valueAzure portal — Certificates & secrets (shown once)Lets OmniLab complete the code exchange
Button display nameYour choiceWhat users see on the OmniLab sign-in page
Callback URL registeredConfirm onlyThe OmniLab URL must appear in the Redirect URIs list

Scopes: openid, email, profile (standard OIDC; no additional permissions needed for sign-in only).

Salesforce Marketing Cloud

Connected app setup

  1. In Salesforce Marketing Cloud, go to Setup > Apps > API Integration and create a new connected app.
  2. Enable OAuth 2.0 and add the exact OmniLab callback URL as an authorized redirect URI.
  3. Note the Client ID and Client Secret after saving.
  4. Note the Authorization URL, Token URL, and User info URL for your Marketing Cloud instance.

Details to share with OmniLab

FieldNotes
Client IDIdentifies your Marketing Cloud connected app
Client secretLets OmniLab complete the OAuth code exchange
Authorization URLStarts the sign-in flow (instance-specific)
Token URLUsed for code-for-token exchange
User info URLUsed to read the authenticated user's identity
Callback URL registeredConfirm only

Custom enterprise SSO provider (OIDC-compatible)

For any other OpenID Connect-compatible identity provider, gather the following:

FieldNotes
Button display nameWhat users see on the OmniLab sign-in page
Client IDIdentifies your provider application
Client secretLets OmniLab complete the code exchange
Authorization URLProvider's authorization endpoint
Token URLProvider's token endpoint
User info URLProvider's user info endpoint
Scope stringUsually openid email profile; include any provider-required extras
Callback URL registeredThe OmniLab callback URL must be in the provider's allowed redirect list

If your provider publishes an OIDC discovery document (.well-known/openid-configuration), share that URL with your Customer Success Manager — it simplifies endpoint configuration.

Pre-launch checklist

  • The provider application is registered and the OmniLab callback URL is in the allowed redirect list.
  • All secrets have been shared securely with your Customer Success Manager (not via email in plain text).
  • At least one test user exists in OmniLab and is assigned to an organisation.
  • The test user's email in OmniLab exactly matches the email the provider will return.
  • You have confirmed which OmniLab environment (staging or production) the provider is being enabled for.

SSO configuration (admin overview)

The admin-facing workflow for choosing a provider and coordinating setup.

SSO for internal users

How SSO fits into the broader internal-user authentication picture.

Authentication

Server-to-server API authentication for developer integrations.

Was this helpful?

Optional comments help us improve this page for future authors and readers.

On this page

How OmniLab authenticates usersMicrosoft Entra IDApplication registration stepsDetails to share with OmniLabSalesforce Marketing CloudConnected app setupDetails to share with OmniLabCustom enterprise SSO provider (OIDC-compatible)Pre-launch checklistRelated