Skip to main content

OpenID Connect Verification in Signhost

Connect your own Identity Provider to Signhost using OIDC

Updated today

What is OIDC verification in Signhost?

With OIDC verification (OpenID Connect), a signer can identify themselves through an identity provider (IdP) already used by your organization. This verification takes place during the signing of a document.

The results of this verification are added to the evidence of the digital signature and are visible in the transaction receipt. This increases the strength and reliability of the signature.

Examples of OIDC verification:

  • Logging in with your corporate IdP

  • Logging in via a national eID platform that supports OIDC

What information is required to configure an OIDC connector?

To activate an OIDC verification method in Signhost, we kindly request the information listed below.

Note: This information should be considered confidential; therefore, we use a secure environment to exchange it.

  • OIDC Authority URL

The issuer or authority endpoint of your provider (e.g., https://login.example.com/oidc).

Note: This must be the base URL where the well‑known discovery is available: /.well-known/openid-configuration.

  • Provider Name

The name displayed to signers in the verification screen.

  • Client ID

The unique identifier of your OIDC application, available in the application registration of your identity provider.

  • Client secret / shared secret

The secret generated by your identity provider for the same application registration.

  • Scopes

Specify the OIDC scopes you want to allow (e.g., openid, email, profile).
The default is openid. If additional scopes are needed for your use case, include them.

  • Logo (optional, SVG)

Displayed on the verification-method selection page.

Support for PKCE

Signhost uses PKCE (Proof Key for Code Exchange).
Ensure your OIDC client is configured as public or confidential with PKCE support.

What does Signhost provide after configuration?

Once we have configured the connector, you will receive the following information from us. Add this to your configuration.

  • Signin URL

The URL to which we redirect the signer to log in with your identity provider.

  • Signout URL

The endpoint for logging out after the authentication flow ends.

  • Authentication Scheme ID

The unique identifier of your verification scheme within Signhost.

  • Short Provider Name

This shortened name can be used to ensure the signer is not given a choice but is directed to this specific OpenID provider.

How do I use the OIDC verification method in my implementation?

After receiving the Signin URL, Signout URL, and Scheme ID, you can include the verification method in your existing Signhost flow and pass it along when creating a transaction.

  • In the web portal, under verification method selection, choose OpenID Providers.” Optionally, you can provide the Short Provider Name to force the use of a specific provider.

  • In the API, you can supply the verification methodOpenID Providers”, and optionally specify the Short Provider Name using ProviderName.

After successful signing, the data obtained via the requested scopes is included in the transaction receipt, becoming part of the evidential value of the digital signature.

Related Articles
What verification level do I need?
Settings page
CSC Qualified verification method
Signhost QES verification
Onfido verification
Did this answer your question?