OpenID Connect

OpenID Connect is an identity layer built on top of OAuth 2.0 that enables clients to verify the identity of end-users based on authentication performed by an authorization server and obtain basic profile information.

What to Know

OpenID Connect (OIDC) combines OAuth’s authorization framework with standardized identity verification, enabling single sign-on across web applications and services. While OAuth provides authorization (“what can this app do?”), OpenID Connect adds authentication (“who is this user?”), making it a complete solution for modern identity management. OIDC standardizes how applications retrieve user profile information, reducing integration complexity and enabling interoperability across identity providers (Okta, Azure AD, Google, etc.). For MDM platforms, OIDC enables administrator SSO, eliminating separate credential management and enabling centralized access control through corporate identity systems.

OIDC uses JSON Web Tokens (JWTs) to convey identity information securely, including user attributes like email, name, and group memberships. These ID tokens are cryptographically signed, preventing tampering and enabling verification without callbacks to the identity provider. OIDC also supports session management and logout propagation, allowing users to log out from MDM consoles and have that logout propagate to other connected applications.

Common Scenarios

Enterprise IT: Corporate MDM platforms integrate with Azure AD or Okta using OpenID Connect to enable SSO for IT admins, eliminating separate MDM passwords and enabling consistent access control policies. IT configures OIDC by registering the MDM platform as a client in the identity provider, specifying redirect URIs and permission scopes. Multi-factor authentication enforced at the identity provider automatically applies to MDM console access through OIDC integration. Role-based access control can leverage OIDC claims to map identity provider groups to MDM administrator roles.

MSP: MSPs leverage OIDC to enable technicians to authenticate across multiple client MDM instances using federated identity, eliminating per-client credential management. OIDC enables just-in-time provisioning where administrator accounts are created automatically when users first authenticate, reducing onboarding overhead. MSPs should implement OIDC best practices including secure redirect URI configuration, proper scope limitation, and session timeout policies that balance security with operational convenience.

Education: School districts integrate MDM with Google Workspace or Microsoft 365 using OpenID Connect, allowing IT staff to access MDM consoles using existing school credentials. OIDC simplifies administrator lifecycle management — when staff leave or change roles, access changes in the identity provider automatically affect MDM access. Educational institutions must configure OIDC scopes appropriately to access necessary directory information while complying with student privacy regulations.

In Addigy

Addigy supports OpenID Connect integration for administrator single sign-on, enabling organizations to integrate with identity providers like Okta and Azure AD. Administrators configure OIDC by providing identity provider details, client credentials, and authorization/token endpoints through the Addigy admin console. Once configured, users can log into Addigy using their corporate credentials, with authentication handled by the identity provider through the OIDC flow.

Addigy’s OIDC implementation supports standard OIDC claims for user identification and attribute mapping, enabling role-based access control based on identity provider group memberships. Addigy handles OIDC token validation, refresh flows, and session management automatically, abstracting protocol complexity from admins while maintaining security best practices. Organizations can enforce MFA at the identity provider level, with those security policies automatically applying to Addigy console access through OIDC integration.