For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
13.5kProductPricingSign inStart free trialBook a demo
DocsAPIsSDKsEnterprise EdgeGuidesAcademyRelease notes
DocsAPIsSDKsEnterprise EdgeGuidesAcademyRelease notes
    • Home
  • Get started
    • Quickstart
    • Introduction to feature flags
    • Unleash architecture overview
  • Core concepts
    • Overview
    • Import and export
      • Unleash hosting options
        • OpenID Connect
        • SAML 2.0
        • SAML Keycloak
        • Azure SAML
        • Keycloak group syncing
        • Group SSO sync
      • Developer Toolbar

Unleash reduces the risk of releasing new features, drives innovation by streamlining the software release process, and increases revenue by optimizing end-user experience. While we serve the needs of the world's largest, most security-conscious organizations, we are also rated the “Easiest Feature Management system to use” by G2.

GitHubGitHubLinkedInLinkedInX (Twitter)X (Twitter)SlackSlackStack OverflowStack OverflowYouTubeYouTube

Server SDKs

  • Node.js
  • Java
  • Go
  • Rust
  • Ruby
  • Python
  • .NET
  • PHP
  • All SDKs

Frontend SDKs

  • JavaScript
  • React
  • Next.js
  • Vue
  • iOS
  • Android
  • Flutter

Feature Flag use cases

  • Secure, scalable feature flags
  • Rollbacks
  • FedRAMP, SOC2, ISO2700 compliance
  • Progressive or gradual rollouts
  • Trunk-based development
  • Software kill switches
  • A/B testing
  • Feature management
  • Canary releases

Product

  • Quickstart
  • Unleash architecture
  • Pricing
  • Product vision
  • Open live demo
  • Open source
  • Enterprise feature management platform
  • Unleash vs LaunchDarkly

Support

  • Help center
  • Status
  • Changelog
Made in a cosy atmosphere in the Nordic countries.Copyright © 2026 Unleash
LogoLogo
13.5kProductPricingSign inStart free trialBook a demo
On this page
  • Prerequisites
  • Create an OIDC application in Okta
  • Configure the Okta application
  • Configure the OpenID Connect provider in Unleash
  • Test your configuration
  • Configure OIDC through environment variables
  • Required configuration
  • Auto-create users
  • Group syncing
  • Additional options
Integrate and deploySingle sign-on

Set up SSO with OpenID Connect

||View as Markdown|
Was this page helpful?

Last updated May 28, 2026

Previous

Set up SSO with SAML 2.0 and Okta

Next
Built with
Enterprise

This guide walks you through setting up single sign-on (SSO) for Unleash using the OpenID Connect (OIDC) protocol, with Okta as the identity provider (IdP). Unleash supports a variety of identity providers and protocols; visit our reference documentation to explore other options.

Prerequisites

To follow along, you’ll need:

  • An Unleash instance with Admin access.
  • An Okta account with permission to create applications.

Create an OIDC application in Okta

To create a new OIDC application in Okta, do the following:

  1. Sign in to your Okta account and go to Admin > Applications.
  2. Click Add Apps, then Create Application.
  3. Select OIDC - OpenID Connect, choose Web Application as the application type, and click Create.

Okta: Add Apps

Okta: Create Apps

Configure the Okta application

To configure the application, do the following:

  1. Give your application a name.
  2. Set Sign-in redirect URI to https://[region].app.unleash-hosted.com/[instanceName]/auth/oidc/callback. For self-hosted instances, the URL must match your UNLEASH_URL configuration.
  3. Optional: set Sign-out redirect URI to https://[region].app.unleash-hosted.com/[instanceName]/.
  4. Click Save.

Okta: Configure OpenID Connect

After saving, Okta provides the Discover URL, Client ID, and Client Secret you need to configure the Unleash side.

Okta: Configure OpenID Connect

Configure the OpenID Connect provider in Unleash

To finalize the configuration, do the following:

  1. In the Unleash Admin UI, go to Admin settings > Single sign-on > OpenID Connect.
  2. Enter the Discover URL, Client ID, and Client Secret from your Okta application.
  3. Optional: To automatically create users for first-time sign-ins, select Auto-create users. Provide a list of valid email domains and choose a default root role for new users. The default root role is Editor.
  4. Click Save.

The Discover URL must be a valid URL and include the https:// prefix. For example, https://dev-example-okta.com is a valid Discover URL.

Unleash: Configure OpenID Connect

Test your configuration

To test that things are working as expected, log out of Unleash and verify that the login screen gives you the option to sign in with OpenID Connect. Click Sign in with OpenID Connect and complete the sign-in flow.

If something is not working, you can still sign in with your username and password.

Verify SSO

Configure OIDC through environment variables

v6.1

Instead of configuring OIDC through the Admin UI, you can configure it through environment variables.

Configuring OIDC through environment variables disables editing the settings in the Admin UI. To fall back to the UI, unset OIDC_ENABLED and restart Unleash.

Required configuration

OIDC_ENABLED
booleanRequired

Tells Unleash to use environment variables to configure OIDC. Setting this to false turns off OIDC login.

OIDC_DISCOVER_URL
stringRequired

URL used to dynamically retrieve the OIDC configuration. For example, https://myoidchost.azure.com/.well-known/openid-configuration.

OIDC_CLIENT_ID
stringRequired

The OIDC client ID of this application. For example, FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B.

OIDC_CLIENT_SECRET
stringRequired

Shared secret from the OpenID server, used to authenticate login requests.

Auto-create users

Configure these optional variables to automatically create Unleash users for SSO sign-ins from specific email domains.

OIDC_AUTO_CREATE
booleanDefaults to false

Tells Unleash to auto-create users from the domains in OIDC_AUTO_CREATE_EMAIL_DOMAINS.

OIDC_AUTO_CREATE_EMAIL_DOMAINS
string

A comma-separated list of domains to auto-create users for. If not set, all domains are accepted. For example, getunleash.io,getunleash.ai.

OIDC_DEFAULT_ROOT_ROLE
stringDefaults to Viewer

The root role to grant users auto-created through SSO. Allowed values: Viewer, Editor, Admin.

Group syncing

Configure these optional variables to sync groups from your identity provider to Unleash.

OIDC_ENABLE_GROUP_SYNCING
booleanDefaults to false

Tells Unleash to set up group syncing from OIDC login requests.

OIDC_GROUP_JSON_PATH
string

A JSON path expression that tells Unleash where to find the group membership information in the response. For example, groups.

OIDC_ADD_GROUPS_SCOPE
booleanDefaults to false

Tells Unleash to add the groups access scope to the request.

Additional options

The following variables are optional.

OIDC_ACR_VALUES
string

Authentication Context Class Reference. Used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space-separated.

OIDC_ID_TOKEN_SIGNING_ALGORITHM
string

Use this only if your provider is failing with an unsupported algorithm; the default should be fine. Allowed values: RS256, RS384, RS512.

OIDC_ENABLE_SINGLE_SIGN_OUT
booleanDefaults to false

Whether Unleash should call the OIDC single sign-out endpoint. Requires Unleash v8 or later.

OIDC_EXTRA_SCOPES
string

Space-separated list of additional scopes to request during login, beyond the default openid email profile and the groups scope if group syncing is enabled. For example, custom1 custom2. Requires Unleash v8 or later.