Skip to content

CAP OpenID Connect integration manual



  • A running identity provider
  • Access to the CAP server configuration

Identity server setup steps

You will need to check the following in your identity server configuration:

  • OpenID Connect Discovery is enabled
  • use of the Authorization Code Flow is allowed
  • a client name and a client secret are created for CAP

CAP setup steps

For now, the OpenID Connect integration for CAP can only be configured by setting some environment variables. One way to do so is to edit the .env file that lies at the root of your on-premises CAP installation.

Here are the variables you need to set:

  • OIDC_DISCOVERY_URL: discovery URL, meant for autoconfiguration of the OpenID endpoints. It generally look like
  • OIDC_CLIENT_NAME: name you assigned to CAP (aka. the client) when you configured your identity server
  • OIDC_SECRET: secret password associated to the aforementioned client
  • OIDC_DEFAULT_ORG_ID: the ID of the default organization a user identified by the SSO will belong to

Here are the optional variables you may also set:

  • OIDC_BUTTON_LABEL: text that will be displayed on the SSO login button
  • OIDC_USE_PING_FEDERATE: set this to true if PingFederate is your identity provider
  • OIDC_RESOURCE: optional parameter that hints the role claim(s) to be included in the Access Token upon successful user authentication. Set this if required by your identity provider.


Once CAP is configured for using OpenID Connect, you will see a new button on the login page that reads "Log in with OpenID".

You can then click this button to be redirected to a login page managed by your identity provider. Once the credentials are validated by your identity provider, you will be redirected back to CAP.

Known issues