OpenID Connect (OIDC)

You may manually configure an OIDC provider for use with the TIS Platform. Your provider must have an OIDC discovery endpoint, and support Authorization Code flow.

Configuration Options

Display Name - Required

This will be displayed to your users on the TIS Platform login screen as a "Sign in with [Display Name]" option. It will also be shown in the administration panel under your list of configured SSO providers.

Discovery Document URL - Required

The URL for your OIDC providers discovery document. This can be the base URL or include the /.well-known/openid-configuration portion of the document URL.

By default, the endpoints in the discovery document must match the domain of the document URL. If they do not, you will receive an error when saving, and an option will appear to bypass this check. You should not enable this unless you are sure this is correct. You cannot change this option after the connection has been created.

Client ID - Required

The Client ID for the TIS Platform to use to connect to your OIDC provider.

Client Secret - Required

The Client Secret for the TIS Platform to use to authenticate to your OIDC provider.

Enable Proof Key for Code Exchange (PKCE)

Enabling PKCE enhances security during the sign-in process. While not strictly required for Authorization Code flow, it is strongly recommended to prevent security risks. Your provider must support PKCE for confidential clients and the S256 algorithm.

Merge Users Where Email Matches an Existing Account

First Name Attribute

The claim name in your token that corresponds to the users first name. The default value is first_name. A first name must be mapped to login.

Last Name Attribute

The claim name in your token that corresponds to the users last name. The default value is last_name. A last name must be mapped to login.

Employee ID Attribute

The claim name in your token that you wish to map to the Employee ID field on the TIS Training account. This field is optional.

Email Attribute

The claim name in your token that corresponds to the users email. The default value is email. An email must be mapped to login.

Role and Group Mappings

For more information on how role and group mappings work, please see Role and Group Mappings.

For role and group mappings using OIDC, we use the JWT claims passed by your provider in the Identity Token. If you are unsure what claims are being passed, you may complete the setup of the OIDC provider, then use the "Test SSO Login" button to review the information passed to the TIS Platform by your provider. Mappings can be updated at any time by using the "Edit Provider" button.

Redirect URL

Your provider may require a redirection URL when setting up the TIS Platform client. This value should be set to https://[Your Subdomain].tislms.com/account/sso/oidclogin. This URL will also be displayed after you have saved the OIDC provider in the TIS Platform administration panel.