Skip to main content
If your organization uses an OpenID Connect (OIDC) identity provider other than Azure AD or Okta (e.g., Ping Identity, OneLogin, Keycloak, Auth0, or another OIDC-compliant IdP), you can configure SSO for Devin Enterprise using a generic OIDC connection.
This guide is for customers whose identity provider is not natively supported by the Azure AD (OIDC) or Okta (OIDC) integrations. If your IdP is Azure AD or Okta, we recommend using the native integration instead, as it provides a more streamlined setup experience.

What You’ll Need

The following information is required to set up OIDC SSO for Devin. You will collect these during the setup steps below and send them to your Cognition account team in the final step.
  • Discovery URL - Your IdP’s OIDC Discovery endpoint (e.g., https://idp.example.com/.well-known/openid-configuration)
  • Client ID - The application Client ID from your IdP
  • Client Secret - The application Client Secret from your IdP
  • Identity Provider Domains - All company email domains that will authenticate through this IdP (e.g., example.com, subsidiary.example.com)
  • Scopes - The OIDC scopes to request (typically openid profile email; add groups if using IdP groups)

Setup Instructions

Step 1: Register an Application in Your IdP

In your identity provider’s admin console, create a new OIDC / OAuth 2.0 application (sometimes called a “Web Application” or “Confidential Client”) with the following settings:
SettingValue
Application TypeWeb Application / Confidential Client
Sign-in Redirect URI (Callback URL)https://auth.devin.ai/login/callback
Sign-out Redirect URILeave empty
Grant TypeAuthorization Code
Token Endpoint AuthenticationClient Secret (POST)
After creating the application, note the Client ID and Client Secret provided by your IdP.

Step 2: Locate Your Discovery URL

Most OIDC-compliant identity providers publish an OpenID Connect Discovery document. This URL allows Devin to automatically retrieve your IdP’s authorization, token, and userinfo endpoints. The Discovery URL typically follows this pattern: 
https://<your-idp-domain>/.well-known/openid-configuration
Common Discovery URL formats by provider:
  • Keycloak: https://<host>/realms/<realm>/.well-known/openid-configuration
  • Ping Identity: https://<host>/<tenant-id>/as/.well-known/openid-configuration
  • OneLogin: https://<subdomain>.onelogin.com/oidc/2/.well-known/openid-configuration
  • Auth0: https://<domain>/.well-known/openid-configuration
  • Google Workspace: https://accounts.google.com/.well-known/openid-configuration
You can verify the URL by opening it in a browser — it should return a JSON document containing fields like authorization_endpoint, token_endpoint, and issuer.

Step 3: Configure Scopes

OIDC scopes control what user information Devin receives during authentication. At minimum, request the following scopes:
ScopePurposeRequired
openidRequired for all OIDC flowsYes
profileReturns the user’s display nameYes
emailReturns the user’s email addressYes
groupsReturns the user’s group memberships (for IdP groups)Only if using IdP groups
Your scopes string should be: openid profile email (or openid profile email groups if using IdP groups).
Some IdPs use a different scope name for group claims (e.g., roles or a custom scope). Check your IdP’s documentation for the correct scope name that returns group membership information.

Step 4: Configure Group Claims (Required for IdP Groups)

If you want to use IdP Group Integration for role-based access control in Devin, you must configure your IdP to include group membership in the ID token or userinfo response. Without this, users will authenticate successfully but IdP groups will not be synced.
To enable IdP group syncing:
  1. In your IdP, ensure the groups scope is available for the application
  2. Configure your IdP to include a groups claim in the ID token or userinfo response
If your IdP does not include group claims by default, you may need to create a custom scope or configure a claims mapping policy. Consult your IdP’s documentation for instructions on adding group claims to OIDC tokens.

Step 5: Send Configuration to Cognition

Send the following to your Cognition account team:
  1. Discovery URL (e.g., https://idp.example.com/.well-known/openid-configuration)
  2. Client ID
  3. Client Secret
  4. Identity Provider Domains (all email domains for this IdP)
  5. Scopes (e.g., openid profile email groups)
Your Cognition account team will configure the OIDC connection so that IdP groups sync automatically on each user login.

Verifying Your Setup

After your Cognition account team confirms the configuration is complete:
  1. Navigate to your Devin Enterprise URL (e.g., https://<your_subdomain>.devinenterprise.com)
  2. Click Sign in with OIDC (or the equivalent SSO button) to initiate the login flow
  3. You should be redirected to your IdP’s login page
  4. After authenticating, you should land in your Devin Enterprise organization
To verify IdP groups are working:
  1. Go to Settings > IdP Groups in the Devin webapp
  2. You should see your IdP groups listed after at least one group member has logged in
  3. Groups are synced on each login, so any membership changes in your IdP will take effect the next time a user signs in
IdP groups are fetched upon user login, so changes in group membership will require reauthentication. See IdP Group Integration for more details on configuring group-based access control.