> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect to an OIDC identity provider

> Link user identities to an OIDC IdP to enable authentication in NexusOne.

After creating user identities in an external OpenID Connect (OIDC) identity provider supported
by NexusOne, you must connect NexusOne to the OIDC provider.

Connecting to an identity provider ensures that the user identities you created can authenticate
with NexusOne.

## Connect to an OIDC identity provider

Perform these steps to connect to an OIDC identity provider.

1. Log in to NexusOne.

2. On the top navigation bar, hover your mouse over **Govern** and then select **Identity Provider**.

3. Click the plus `+` icon in the top right corner of the page to choose a provider.

4. Select a provider.

5. Configure the provider with the following details:

   1. In the **Display Name** field, enter a provider display name. It's shown in NexusOne's UI.

   2. In the **Alias** field, enter a unique name. It must be in lowercase and contain hyphens.

   3. Use the toggle button to **Enable** or **Disable** the provider.

   4. Create an OIDC app in the provider's portal that represents NexusOne.

   5. Copy NexusOne's redirect URI shown in the **Redirect URI / Callback** URL field and paste it into the
      provider's Allowed **Redirect URIs / Callback** list.

   6. In the **Issuer URL** field, enter an Issuer URL to an endpoint or use
      the NexusOne search button to discover an endpoint.

   7. In the **Client ID** field, enter a client ID. This is the public identifier for the NexusOne app you
      created in the provider.

   8. In the **Client Secret** field, enter a client secret associated with the client ID.

   9. In the **Authorization URL** field, enter an authorization URL.
      This is the provider's endpoint that NexusOne directs a user's browser to so they can authenticate.

   10. In the **Token URL** field, enter a token URL.

       This is the provider's OAuth 2.0 token endpoint NexusOne speaks with to exchange the authorization
       code for tokens such as an ID token and an access token.

   11. In the **UserInfo URL** field, enter a user info URL.

       This is the provider's OpenID Connect UserInfo endpoint that NexusOne can call with an access token to
       fetch user profile claims such as an email or name, if they're not all in the token.

   12. In the **Scopes** field, enter scopes. Scopes are space-separated permissions and user information to request from the provider.

   13. From the **Sync Mode** list, select a sync mode. The sync mode determines
       how NexusOne syncs the user identities from the provider. The sync mode can be one of the following:

       * `FORCE`: NexusOne forces the sync mode.
       * `IMPORT`: NexusOne imports the user identities from the provider.
       * `INHERIT`: NexusOne inherits the user identities from the provider.
       * `LEGACY`: NexusOne uses a legacy sync mode.

   14. Select whether to validate the token signature or not. When enabled, NexusOne verifies that tokens
       were cryptographically signed by the provider.

   15. Select whether to enable Proof Key for Code Exchange (PKCE) or not.
       It reduces code interception/replay risk.

   16. Click **Next**.

6. Configure attribute mapping between the identity provider and user accounts.

   1. In the **IdP Claim** field, enter a user profile claim name.

   2. In the **User Attribute** field, enter a NexusOne user attribute to map the claim to.

   3. From the **Sync** list, select a sync option for the attribute mapping. The sync mode can be one of the following:

      * `FORCE`: NexusOne forces the sync mode.
      * `IMPORT`: NexusOne imports the user identities from the provider.
      * `INHERIT`: NexusOne inherits the user identities from the provider.

   4. In the **Group Mapping** section, enter a group name and select a sync option.

7. Click **Next**.

8. Review your configuration and then click **Create Identity Provider**.

## Additional resources

* For an overview of the Govern feature, refer to [Govern Overview](/documentation/govern/overview).
* To learn more about OIDC, refer to
  [OpenID Connect Core 1.0 incorporating errata set 2](https://openid.net/specs/openid-connect-core-1_0.html).
