# SSO sign-in (OIDC)

Source: https://docs.settlemint.com/docs/developers/sso-oidc
Configure an external OpenID Connect identity provider as the sign-in method for a DALP deployment, with FusionAuth as the worked example.



DALP can delegate account sign-in to an external OpenID Connect (OIDC) identity provider. Configuration is provider-neutral: the same `auth.oidcProviders` block works against FusionAuth, Okta, Auth0, or any standards-compliant OIDC issuer. No provider is special-cased in code.

This section uses FusionAuth as the worked example because it surfaces the two integration requirements operators most often miss — the `name` claim source and how provider roles reach the token DALP reads.

Related pages:

* [Configure an OIDC provider](/docs/developers/sso-oidc/configure-provider)
* [FusionAuth setup](/docs/developers/sso-oidc/fusionauth-setup)
* [Deploy OIDC in production](/docs/developers/sso-oidc/deploy-production)
* [Troubleshooting](/docs/developers/sso-oidc/troubleshooting)
* [Authentication](/docs/compliance-security/security/authentication)

## Enablement is all-or-nothing [#enablement-is-all-or-nothing]

DALP treats the configured provider list as a deployment-wide switch. A provider counts as configured only when its `id`, `issuer`, `clientId`, and `clientSecret` are all set; partially-filled entries are ignored.

When at least one provider is fully configured, the external IdP becomes the **sole** login method. Local email and password sign-in is disabled server-side, and passkey sign-in paths are rejected. There is no in-band fallback — recovery from a misconfigured provider is a redeploy with an empty provider list (see [Deploy OIDC in production](/docs/developers/sso-oidc/deploy-production)).

<Mermaid
  chart="`
flowchart TD
Cfg[&#x22;auth.oidcProviders[]&#x22;] --> Filter[&#x22;Configured providers<br/>(id + issuer + clientId + clientSecret all set)&#x22;]
Filter -->|&#x22;none configured&#x22;| Local[&#x22;Local login ON<br/>email/password + passkey&#x22;]
Filter -->|&#x22;one or more configured&#x22;| SSO[&#x22;SSO only<br/>email/password disabled<br/>passkey paths rejected<br/>implicit account-linking off&#x22;]
`"
/>

<Callout type="warning" title="Configuring a provider disables local login">
  Enabling any OIDC provider removes email/password and passkey sign-in for the
  whole deployment. Verify the provider end-to-end in a non-production
  environment before enabling it where operators depend on access.
</Callout>

## What the provider must supply [#what-the-provider-must-supply]

DALP reads the user profile from the provider's ID token (falling back to the userinfo endpoint only when the ID token lacks a subject or email). Three claims drive sign-in and authorization.

| DALP need               | Source claim                                                                                               | What happens if it is missing or wrong                        |
| ----------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
| Display name (required) | `name`                                                                                                     | Sign-in fails — the account cannot be created without a name. |
| Identity anchor         | a verified `email`                                                                                         | An explicit `email_verified: false` is rejected by design.    |
| Platform admin          | the `adminClaim` value inside a `roles` or `groups` array, or a direct boolean claim named by `adminClaim` | The user signs in as a regular member.                        |

Admin is **deny-by-default**: when `adminClaim` is empty, no profile is ever promoted to platform admin. The role is re-derived on every login, so changing a user's claim at the IdP promotes or demotes them on their next sign-in.

## How sign-in flows [#how-sign-in-flows]

<Mermaid
  chart="`
sequenceDiagram
participant U as Browser
participant D as DALP (better-auth)
participant I as OIDC provider
U->>D: Click &#x22;Sign in with provider&#x22;
D->>I: Redirect to authorization endpoint (PKCE, scopes)
Note over I: invalid_redirect_uri if the callback URL is not registered
I-->>D: Callback with authorization code
Note over D: issuer_missing if RFC 9207 issuer validation is on<br/>and the provider omits the iss parameter
D->>I: Exchange code for ID token (and access token)
D->>D: Map profile claims to the DALP user
Note over D: name_is_missing if no name claim<br/>email_is_missing if email_verified is false<br/>role is member if the admin claim is absent
D-->>U: Session created; role admin or member
`"
/>

Each labelled failure has a cause and fix in [Troubleshooting](/docs/developers/sso-oidc/troubleshooting).

## Next steps [#next-steps]

* Map every configuration field and its environment variable in [Configure an OIDC provider](/docs/developers/sso-oidc/configure-provider).
* Follow the end-to-end [FusionAuth setup](/docs/developers/sso-oidc/fusionauth-setup).
* Plan the rollout with [Deploy OIDC in production](/docs/developers/sso-oidc/deploy-production).