Articles on: Schools & enterprise plans

Set up OpenID Connect (OIDC) single sign-on for SimplyPrint

Set up OpenID Connect (OIDC) single sign-on for SimplyPrint


OpenID Connect (OIDC) single sign-on lets the members of your account sign in to SimplyPrint with their existing organization login - Microsoft Entra ID, Google Workspace, Okta, Keycloak, or any standards-compliant OIDC provider. This guide walks an account admin through the whole setup, from turning OIDC on to testing the connection and saving it.


OIDC is the modern alternative to SAML. Both do the same job - your members sign in once with your identity provider instead of a separate SimplyPrint password. If your provider only supports SAML, or you already run SAML, see Set up single sign-on (SSO) for SimplyPrint instead. Pick whichever protocol your provider supports best - there is no functional difference for your members.


Single sign-on is included in the Enterprise plan and the School plan. Print Farm subscribers from before 2026-05-15 keep SSO as a grandfathered feature; newer Print Farm accounts need to upgrade to Enterprise. See the pricing page for the full plan comparison.


What you need before you start

  • An account admin with the user registration settings permission. Only an admin with this permission can open and save the SSO settings.
  • An OIDC-capable identity provider where you can register a new application (also called a client). Microsoft Entra ID, Google Workspace, Okta, Keycloak, and Authentik all work, as does any provider that publishes a standard discovery document.
  • The ability to create an app registration / OAuth client in that provider, since you will need to copy a redirect URI into it and copy a client ID and secret back out.


One SSO method at a time

Your account runs a single SSO method at a time - either SAML or OIDC, never both. Turning on OIDC deactivates SAML (and vice versa), but it keeps the other method's saved configuration, so you can switch back later without re-entering everything. The settings panel reminds you of this when a method is active: "Only one single sign-on method can be active at a time. Switching methods deactivates the other one, but keeps its configuration saved for later."


How OIDC sign-in works

SimplyPrint acts as the relying party in a standard OIDC authorization-code flow with PKCE. When a member signs in, they are sent to your identity provider, authenticate there, and your provider returns a signed token that tells SimplyPrint who they are.


SimplyPrint discovers your provider's endpoints automatically from its /.well-known/openid-configuration document, so in most cases you only provide three things: the issuer URL, a client ID, and a client secret. The authorization, token, JWKS, and userinfo endpoints fill in by themselves.


Turn on OIDC and open the configuration

  1. Go to Settings -> Organization in the panel and open the "User registration & SSO" section.
  2. Tick the "OpenID Connect (OIDC) single sign-on" checkbox.
  3. In the card that appears, click "Configure OIDC single sign-on" to open the configuration modal.


The modal has preset tabs at the top: "Microsoft Entra", "Google Workspace", "Okta", and "Other". Each preset pre-fills the right defaults (claim names, the email-verified default, and so on) for that vendor. Use "Other" for any standards-compliant provider, including Keycloak and Authentik.


Configure your provider

Work through the modal top to bottom.


Copy the redirect URI into your provider

Under "What you need from us" the modal shows a read-only Redirect URI (your provider may call it a callback URL or reply URL). Click "Copy" and register that exact value as a redirect URI in your provider's app registration.


Copy the redirect URI shown in your own modal rather than typing one from memory. It is your SimplyPrint site URL followed by /oauth/callback, and it must match exactly or your provider will reject the sign-in.


Paste in your issuer and credentials

Under "What we need from you", fill in:

  • Issuer URL - the base URL of your provider. On the "Microsoft Entra" tab this is a Tenant ID (Directory ID) field instead; SimplyPrint builds the issuer for you as https://login.microsoftonline.com/{tenantId}/v2.0.
  • Client ID - from the app / client you registered.
  • Client secret - from the same app. Once saved it is write-only: the field shows "Unchanged" and you can leave it blank to keep the stored secret, or type a new one to replace it.
  • Scopes - defaults to openid profile email. Add the groups scope if you want to map provider groups to user groups.


Click Check next to the issuer to validate the discovery document. SimplyPrint resolves the endpoints and shows them so you can confirm the connection before saving.


Advanced options (optional)

The collapsible Advanced section is only needed for non-standard setups. It lets you override endpoints manually (for providers that don't publish a discovery document), add extra authorization parameters (such as a prompt or domain hint), restrict sign-in to specific allowed email domains, and toggle Require verified email.


Map claims to user fields

The Claim mappings section maps the claims your provider sends to the matching SimplyPrint user fields. The defaults are email to email, given_name to first name, and family_name to last name. Okta, Keycloak, and Authentik also default groups to user groups. Use "Apply defaults for [provider]" to fill in the common claim names for your provider.


Mapping a group claim to user groups lets members land in the right SimplyPrint user group automatically. The concept is identical to SAML group mapping - see SAML single sign-on user groups: group mapping and teacher mapping.


Test the connection before going live

Save your settings, then click Test sign-in. This opens a new tab and runs the real sign-in flow against your provider, then shows you exactly which claims came back - without logging anyone in or creating an account. It is the recommended way to confirm everything is wired up correctly.


If something is wrong, the Last received claims and Last sign-in error debug panels at the bottom of the modal show the most recent claims (with email addresses masked) and the latest error for your provider. These are the main troubleshooting tools. For a full walkthrough, see Troubleshooting OIDC single sign-on.


How new members get accounts

New members get a SimplyPrint account automatically the first time they sign in (just-in-time provisioning), as long as their email address is trustworthy. An email counts as trustworthy when any of these is true:

  • Your provider marks the email as verified (sends an email_verified signal).
  • The email's domain is one your account has verified. See Verified email domains for OIDC.
  • The admin turned off "Require verified email" in the Advanced section.


Microsoft Entra ID does not send an email-verified signal, so for Entra the right path is to verify your email domains, or turn off "Require verified email". Otherwise new members can't be auto-created.


How sign-in and logout behave

Members sign in from your account's login page using your provider. For the member-facing side, see Signing in with SSO (organization login). Members who already have an email/password SimplyPrint account can connect it to SSO - see Linking your existing SimplyPrint account to your SSO account.


Logout signs the member out of their provider too when your provider advertises a logout endpoint. Google Workspace does not, so with Google, signing out of SimplyPrint is local to SimplyPrint only.


Choose your provider

The exact steps to register the app differ per provider. Pick yours for a step-by-step guide:



Updated on: 13/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!