OpenID Connect

Atomic Enterprise OSSEC (AEO) supports Single Sign On (SSO) via integration with OpenID Connect. A full list of certified providers is available at:


  • AEO 6.0.0+

  • OpenID Connect Server

  • AEO 6.0.0+ registration with OpenID Connect Server


This module is designed to allow SSO and authentication that utilizes the OpenID Connect protocol.


This meets the requirements for SAML authentication

Generic Provider

Step 1: Register AEO with your OpenID Connect endpoint


The process for this is endpoint specific. Refer to your OpenID service provider for more information.

Step 2: Create a user in AEO whose email address matches the email address of the user on file with the OpenID Connect server.

Step 3: Enable OPENID_CONNECT_INTEGRATION=”on” in /etc/asl/config

systemctl restart awpd

Step 4: Navigate to Integrations > OpenID Connect


Step 5: Enter OpenID credentials

Name: is an arbitrary name that displays on the login page

Provider URL is the endpoint of your OpenID Connect server

ClientID, ClientSecret, and Redirect URL are all provided by the OpenID Connect endpoint when AEO is first registered

ClientID example:

ClientSecret example: SV4bb77clx6m6Ntd_Z8df71S

Redirect URL example: http://fakedomain:30001/auth/app/callback

Step 6: Restart the awpd

systemctl restart awpd

The alias of your OpenID Connect provider should now appear on the bottom of the login page, and the configuration will be written to /var/awp/etc/.integrations/

        "name": "sso",
        "provider_url": "https://sso.openidprovider.fake/auth/realms/sso",
        "client_id": "atomic",
        "client_secret": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
        "redirect_url": ""



These are generic instructions, please refer to the Okta documentation for more detailed configuration options.

Step 1: Log in to your Okta domain

Step 2: Create App Integration


Step 3: Select OIDC - OpenID Connect, and Web Application


Step 4: Enter your application name, and Sign-in redirect URIs

redirect URI: https://your-aeo-server:30001/auth/app/callback


Step 5: Set the Assignments to the appropriate level for your organization

In this example, we are using “Allow everyone in your organization to access”. Note that the user account must still exist in AEO in order for the account to be able to access the console.


Step 6: click save and note the client credential, and secrets


Step 7: Log into AEO, and select the Integration->SSO OpenID Connect

Name: is an arbitrary name that displays on the login page

Provider URL is the Okta openid provider in the format of: https://<value>

ClientID: from step 6 above

ClientSecret: from step 6 above

RedirectURL: https://your-aeo-server:30001/auth/app/callback


Step 8: Restart awpd

systemctl restart awpd


unable to match id token to application user: unable to find user with email username@domainname

This means that the user has not been created in the AEO console