> For the complete documentation index, see [llms.txt](https://documentation.immuta.com/2024.3/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.immuta.com/2024.3/people/section-contents/how-to-guides/openid-connect/openid-connect-protocol.md). # OpenID Connect Protocol {% hint style="info" %} **Editing your IAM configuration** With the exception of the IAM ID (also called the display name), any of these settings can be changed after an IAM is configured. To edit IAM settings, click the dropdown arrow next to the IAM listed in the identity management section on the app settings page and then make your changes. {% endhint %} 1. Navigate to the Immuta **App Settings** page. 2. Scroll to the **Identity Management** section and click **Add IAM**. 3. Complete the **Display Name** field and select **OpenID** from the **Identity Provider Type** dropdown. 4. Take note of the ID and copy the SSO Callback URL to use as the ACS URL in your identity provider. 5. Adjust **Default Permissions** granted to users by selecting from the list in this dropdown menu. 6. Enter the **Client ID** and **Client Secret** from your identity provider. 7. Enter the URL of your identity provider's discovery endpoint in the **Discover URL** field. If you do not provide this URL, you will have to complete the manual endpoint specification fields (authorization endpoint, issuer, token endpoint, etc.). 8. Opt to add additional **Scopes**. 9. Opt to **Enable SCIM support for OpenID** by clicking the checkbox, which will generate a SCIM API Key. *Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.* * Copy the SCIM URL and API key generated, and then [save your changes](#user-content-fn-1)[^1]. * Validate the URL and credentials within the identity provider application. 10. In the **Profile Schema** section, map attributes in OpenID to automatically fill in a user's Immuta profile. *Note: Fields that you specify in this schema will not be editable by users within Immuta.* 11. Opt to **Allow Identity Provider Initiated Single Sign On** to use the IDP-Initiated SSO feature by selecting the checkbox. 12. Opt to **Migrate Users** from another IAM by selecting the checkbox. 13. Click **Test Connection** and **Test User Login**. 14. Save your configuration. {% hint style="warning" %} **Multiple user accounts cannot have the same email address** If you register user accounts that have the same email address as an existing Immuta user account, the email field for the subsequent user accounts will be left empty. For more details, see the [Identity managers reference guide](/2024.3/people/section-contents/reference-guides/identity-managers.md#limitations). {% endhint %} [^1]: You can either finish configuring your IAM on the app settings page before clicking save, or you can save now and return to the app settings page to edit the IAM configuration after saving. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://documentation.immuta.com/2024.3/people/section-contents/how-to-guides/openid-connect/openid-connect-protocol.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.