Authentication - UI

Overview

Omnium supports multiple authentication providers, allowing you to integrate with your preferred identity platform while maintaining consistent role-based access control.

Supported identity providers:

• Azure AD B2C (default)
• Entra ID
• Auth0

In all setups, users and roles can also be managed directly via the Omnium API, giving you full control over your access model.

Azure AD B2C (Default)

Azure AD B2C is the default authentication provider and login for Omnium. It handles user authentication and password management. There are no custom role mappings or tenant-level configurations available for this option.

Entra ID

Omnium supports Single Sign-On (SSO) with Entra ID through OpenID Connect (OIDC).

Setup

To set up SSO with Entra ID, the following information is required from your organization:

Your organization is responsible for:

• Creating the App Registration in Entra ID
• Generating the Client Secret
• Configuring the Redirect URI in the App Registration
• Providing the above values to Omnium

Redirect URI: In your App Registration, add a Redirect URI pointing to your Omnium environment:

https://your-brand-name.omnium.no/signin-oidc

Replace your-brand-name with your actual Omnium subdomain.

Once configured, users from your organization can sign in using their existing Entra ID credentials.

User and Role Provisioning

For automatic user and role synchronization with Entra ID, use SCIM 2.0 provisioning.

See Automatic User Management with SCIM 2.0 for setup instructions.

Auth0

Omnium supports Single Sign-On (SSO) with Auth0 through OpenID Connect (OIDC).

Setup

To set up SSO with Auth0, the following information is required from your organization:

Your organization is responsible for:

• Creating the Application in Auth0
• Generating the Client Secret
• Configuring the Callback URL in the Application settings
• Providing the above values to Omnium

Callback URL: In your Auth0 Application settings, add the Callback URL pointing to your Omnium environment:

https://your-brand-name.omnium.no/callback

Replace your-brand-name with your actual Omnium subdomain.

Once configured, users from your organization can sign in using their existing Auth0 credentials.

User and Role Provisioning

For automatic user and role synchronization with Auth0, use SCIM 2.0 provisioning.

See Automatic User Management with SCIM 2.0 for setup instructions.

User and Role Management via API

All users, roles, and permissions can also be managed via the Omnium API. This allows full programmatic control and can be used to integrate with external IAM or HR systems for automated user and role management.

API documentation: https://apitest.omnium.no/documentation/index.html#/Users

You can:

• Create, update, or deactivate users
• Assign or remove roles
• Manage linked roles and permissions
• Integrate with external IAM or HR systems for automated provisioning

Tip: On each user object, roles are represented as a flat list of strings under the Roles property. Market and store roles follow naming conventions:

• Market roles: prefixed with market-
• Store roles: prefixed with store-

Security Model

Authentication and authorization are handled separately in Omnium.

• User authentication is performed by your identity provider (for example, Entra ID or Auth0) using OpenID Connect.
• Omnium manages authorization internally and evaluates what each role can access.
• Roles define access to specific functionality, stores, markets, and other entities in the Omnium domain model.
• User and role provisioning can be automated using SCIM 2.0.
• Without SCIM, users must be invited or created in Omnium before they can sign in. Role assignment is managed entirely inside Omnium.

For details about role configuration and granular access rights, see Roles, access rights, and users.

Forced Sign-In Frequency

Omnium supports forced sign-in frequency to control how often users must re-authenticate when accessing specific areas of the application. This feature enforces periodic credential verification, even when users have an active SSO session with their identity provider.

This feature works with all supported authentication providers (Azure AD B2C, Entra ID, and Auth0).

How It Works

• Omnium tracks the time since each user's last authentication
• When accessing areas configured with "Enforce sign-in frequency", users who exceed the configured timeout are required to sign in again
• The identity provider is instructed to prompt for credentials, bypassing any existing SSO session
• After successful authentication, the user is returned to their original location and the timeout resets

Configuration

Forced sign-in frequency is configured at two levels:

1. Global Settings

Navigate to Administration → Settings → Advanced Settings:

2. Per-Component Settings

Once enabled globally, control which components require sign-in frequency. By default, no components require this:

• Navigate to Administration → Authorization
• Select a component
• In the Settings tab, toggle Enforce sign-in frequency

What Happens During Re-Authentication

• Omnium requests a fresh login from the identity provider
• Your organization's authentication policies (including MFA requirements) apply during re-authentication
• This provides an additional layer of session control on top of any Conditional Access or session lifetime policies configured in your identity provider

To set up SSO for your organization: Contact Omnium Support with your identity provider details and we will configure the integration for your environment.