# Single Sign-On with OIDC

Retarus Intelligent Document Processing (IDP) supports Single Sign-On (SSO) integration using the OpenID Connect (OIDC) protocol. Your users can authenticate using their existing identity provider credentials instead of maintaining separate Retarus-specific passwords.

## Benefits

SSO integration provides:

- **Simplified access** Users sign in to Retarus IDP using their existing corporate credentials.
- **Automatic permissions** Users automatically receive appropriate roles based on mapped role/group claims.
- **Streamlined management** You don't need to manage additional passwords.


## How It Works

The integration uses the standard OIDC flow with Keycloak acting as the OIDC broker (client). Your identity provider authenticates users, while Retarus IDP authorizes access based on role mappings derived from `id_token` claims.

## What You Provide

To enable SSO integration, provide:

- Discovery endpoint URL from your OIDC-compliant identity provider (e.g., Microsoft Entra ID)
- Client ID and Client Secret
- Redirect URI (callback URL) registered in your identity provider
- Information about your role/group claims structure


## Get Started

For more information, see the [OIDC Identity Provider Setup Guide](https://docs.retarus.com/idp/openid-connect-identity-provider-for-idp).