Configure OpenID Connect for system user login
For system users signing in to the HP Insights web console
Note: This page covers OpenID Connect for system users signing in to the HP Insights web console. System users are administrators and other staff with HP Insights accounts — not the people submitting and releasing print jobs. For an overview of all SSO options for system user login, see Configure SSO for system user login. For print job authentication, see Authentication Providers.
HP Insights supports two approaches for system user SSO. This page covers both paths:
- SSO with SCIM (recommended) — System users are provisioned automatically from your identity provider based on group membership.
- Legacy SSO — OpenID Connect authentication without SCIM. System users are created and managed manually in HP Insights and must be invited before they can sign in.
Before you begin
- You have an OpenID Connect identity provider (for example, Microsoft Entra ID or Google) and permission to register applications in it.
- You have registered HP Insights as an application in your identity provider and collected the Client ID, Client Secret, and Well-Known Endpoint.
- The following redirect URIs are added to your identity provider's
authorised redirect URIs list:
- https://beacon.pharos.com/connect/external/signin-openidconnect
- https://www.beacon.pharos.com/connect/external/signin-openidconnect
- You have decided whether to use SSO with SCIM or legacy OIDC SSO. If unsure, use SSO with SCIM. For help deciding, see Configure SSO for system user login.
Path A — SSO with SCIM (recommended)
For full instructions on setting up OpenID Connect SSO with automatic system user provisioning, see Configure SSO with SCIM.
Path B — Legacy SSO
Legacy SSO configures OpenID Connect authentication for system user login without SCIM provisioning. System user accounts, roles, and access groups are managed manually in HP Insights. Use this path when the number of system users is small or SCIM provisioning is not required.
Note: When Enable SSO Sign-in for System Users is enabled under Account Settings → Settings, the legacy Single Sign-on Configuration tab remains visible but is inactive and displays "This feature is not applicable."
Step 1: Configure OpenID Connect in HP Insights
- Log in to the HP Insights web console.
- Navigate to Account Settings → Single Sign-on Configuration.
- Select OpenId Connect under Provider Types.
- Enter the following details:
| Field | Description |
|---|---|
| Well-Known Endpoint |
The OpenID Connect discovery document URL for your identity
provider. Used to retrieve metadata automatically — including
the token endpoint, supported scopes, and key material.
All URLs in the discovery document must be publicly
accessible. Examples: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration https://accounts.google.com/.well-known/openid-configuration Note: If using the common endpoint for Microsoft Entra ID, set Validate Issuer to No under Advanced Settings. Alternatively, use the tenant-specific endpoint: https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration |
| Client ID | The unique identifier assigned to your HP Insights application by your identity provider. Also called the Application ID. |
| Client Secret | The secret key used by HP Insights to authenticate when requesting tokens. Also called the Application Password. Treat this value as a password — store it securely and rotate it before it expires. |
Advanced settings
| Field | Description |
|---|---|
| Scope |
The OAuth 2.0 scopes requested by
HP Insights. The
following scopes are requested by default: openid (required) — Signals use of the OpenID Connect protocol to verify user identity. email (required) — Returns the email claim used to identify the user in the web console. profile (optional) — Returns the user's name. If your identity provider uses non-standard scope names (for example, mail instead of email), contact HP Support. |
| Email JSON Key | The name of the email claim in the ID token. Default value: email. |
| Response Mode | Defines how the identity provider sends data back to HP Insights. Options: FormPost (default) or Query. |
| Response Type | Defines the type of information returned by the identity provider. Options: idToken (default), CodeIdToken, or Code. |
| Validate Issuer | Whether to validate that the user logging in comes from a known tenant. Default: Yes. Set to No when using the Microsoft Entra ID common endpoint (login.microsoftonline.com/common). |
Step 2: Create and invite system users
After saving the OpenID Connect configuration, create system users in HP Insights and invite them to sign in.
- Navigate to Users → System Users and click Create.
- Enter the user's name, email address, role, and access group. The email address must exactly match their primary email in the identity provider.
- Click Save.
- Select the newly created user and click Invite, then Send. The user receives an email with a link to access the web console.
Note: Newly created system users cannot sign in until they have been invited.
Configuring Single Sign-on (SSO) with OpenID Connect
This option uses token-based OpenID Connect technology to verify user identity. This option is suitable for organizations with an existing supported OpenID Connect Identity Provider (e.g., Office 365, Google, etc.) and has well-governed and well-known badges for user access and identity.
Prerequisites
- Register HP Insights as an application for HP Insights on your OpenID identity provider if you haven't already done so.
- You’ll also need to make sure that redirect URI is added to the OpenID Identity provider’s “Authorized redirect URIs” list. Redirect URI (also referred to as “reply URL” or “callback URL”) defines the URI where the IdP sends responses to authentication requests.
HP EU: https://eu.insights.hpondemand.com/connect/external/signin-openidconnect
HP US: https://www.insights.hpondemand.com/connect/external/signin-openidconnect
- Gather the following details after registering an application for HP Insights
- Client ID
- Client Secret
- Well-Known Endpoint
Step 1: Configure SSO with OpenID Connect
- Log in to the HP Insights Web Console.
- Navigate to the Account Settings > Single Sign-on Configuration tab and select OpenID Connect under Provider Types. This opens the OpenId SSO Provider Configuration page.
- Enter the following information:
|
Field |
Description |
|---|---|
| Well-Known Endpoint |
HP Insights uses Well-Known Endpoint (also called “discovery document”) to retrieve metadata about your Identity Provider. This is used to configure user authentication sessions automatically. It returns information like the issuer name, key material, supported scopes, token endpoint URL, and so on. See the OpenID specification document (https://openid.net/specs/openid-connect-discovery-1_0.html) for more details. OpenID publish their metadata at a well-known URL. Here are some examples:
Note: If you are using https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration for well-known endpoint, you will need to set Validate Issuer to No under Advanced Settings. for it to work. Alternatively, you can use https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration where you specify the tenant GUID identifier of your application in Office 365. |
| Client ID | Client ID also called “Application ID”, is a unique identifier assigned to your application by your Identity Provider. |
| Client Secret | Client Secret also called “Application Password” is the secret key that the HP Insights uses to prove its identity when requesting a token. |
In most cases, the settings above should be sufficient. However, depending on how your OpenID is configured in your organization, additional parameters may need to be configured.
Advanced Settings
|
Field |
Description |
|---|---|
| Scope |
HP Insights Identity Service redirects users to the identity provider with the following scopes by default:
Note: HP Insights uses the standard scopes and claims as defined in OpenId. If your identity provider uses customized scopes (e.g. your system expects mail instead of the standard email scope), contact the operations team. |
| Email JSON Key |
The name for the email claim in the ID token. The default value is email. |
| Response Mode |
Defines the method used to send data back from identity provider to HP Insights. Choose from the following response modes:
|
| Response Type |
Defines the type of information sent back by the identity provider to HP Insights. Choose from the following response types:
|
| Validate Issuer |
To check if the user logging in to HP Insights comes from a known tenant.
|
Troubleshooting
System user cannot sign in after
OpenID Connect configuration
Symptom: The system user authenticates with the identity provider but cannot access the HP Insights web console.
Cause: The system user's email address in the identity provider does not match their email address in HP Insights, or the system user has not been created and invited.
Resolution: Confirm the email address in Users → System Users exactly matches the primary email in the identity provider. If the system user has not been invited, send an invitation from System Users.
Issuer validation error on
sign-in
Symptom: Sign-in fails with an issuer validation error.
Cause: The Microsoft Entra ID common endpoint (login.microsoftonline.com/common) is being used and Validate Issuer is set to Yes.
Resolution: Set Validate Issuer to No under Advanced Settings, or switch to the tenant-specific endpoint: https://login.microsoftonline.com/{tenantid}/v2.0/.well-known/openid-configuration where {tenantid} is your Microsoft 365 tenant GUID.
Client secret error after
expiry
Symptom: All system user logins fail simultaneously. No individual user changes have been made.
Cause: The client secret registered in HP Insights has expired.
Resolution: Generate a new client secret in your identity provider and update the Client Secret field under Account Settings → Single Sign-on Configuration. To avoid future disruption, set a calendar reminder to rotate the secret before its expiry date.