DocumentationSwaggerUser docsSystem status

UI Authentication and Authorization

Overview of authentication options in the Omnium UI and how roles are managed across identity providers.

Overview

Omnium supports multiple authentication providers, allowing you to integrate with your preferred identity platform while maintaining consistent role-based access control.

Supported identity providers:

  • Azure AD B2C (default)
  • Azure AD / Entra ID
  • Auth0

In all setups, users and roles can also be managed directly via the Omnium API, giving you full control over your access model.

Azure AD B2C (Default)

Azure AD B2C is the default authentication provider for Omnium. It handles user authentication and password management. There are no custom role mappings or tenant-level configurations available for this option.

SSO and Role Synchronization (Entra ID and Auth0)

For enterprise setups using Azure AD (Entra ID) or Auth0, Omnium supports Single Sign-On (SSO) through OpenID Connect (OIDC) with automatic role synchronization.

This approach ensures that user access is always consistent with your identity provider (IdP), while keeping authorization logic close to where it belongs - inside Omnium.

What Happens During Login

When a user signs in through your IdP, Omnium automatically:

  • Verifies the user’s identity through OpenID Connect
  • Retrieves basic profile information (name, email, object ID, etc.)
  • Reads assigned roles or groups from the IdP token
  • Validates whether the user should have access to Omnium
  • Creates or updates the user in Omnium on demand

This means users and roles stay synchronized naturally through the normal login process without requiring separate provisioning steps.

Role Management and Access Control

While your IdP defines who the user is and what roles they belong to, Omnium defines what those roles mean.

For example:
A group called ReturnAdmins in Entra ID might correspond to an Omnium role with full access to the return interface.
Omnium can then link that role to specific stores, markets, or additional permissions.

The IdP handles identity and role membership, while Omnium determines what those roles mean in terms of access to stores, markets, and functionality.

Integration with External Systems

Omnium provides an API for managing users and roles. This allows organizations to automate user updates or synchronize access data from external systems when tighter integration is required.

See API documentation:
https://apitest.omnium.no/documentation/index.html#/Users

Azure AD / Entra ID

Roles in Omnium are matched by name with App Roles defined in your Entra ID Enterprise Application.

  1. In your Enterprise Application for Omnium, define App Roles such as:
    • OrderManagersNorway
    • ProductManagersSweden
    • PromotionsManagers
    • CustomerService
  2. Assign these roles to users or groups in Entra ID.
    Groups can include both internal Entra ID users and external (B2B) users.
  3. When a user signs in, the assigned roles are included in the ID token (roles claim).
  4. Omnium reads the role claims and matches them by name with roles that already exist in Omnium.

Create the corresponding roles in Omnium to define which stores, markets, and components users can access. This allows role- and group-based assignments in Entra ID to automatically grant the correct access inside Omnium.

Example:

Azure Role:  OrderManagersNorway
Omnium Role: OrderManagersNorway (and then you could link this role to markets and stores, or even other roles)

By syncing roles from Entra ID, you avoid having to manually assign roles to each user in Omnium — the mapping happens automatically at login based on role names.

Auth0

Auth0 is also supported and includes Single Sign-On (SSO) support through OpenID Connect. Omnium reads the roles claim from the Auth0-issued token and matches it with existing roles defined in Omnium.

Configuration:

  • Make sure the Auth0 application includes a custom claim for roles in the ID token or Access Token (for example: https://yourdomain.com/roles)
  • Roles in Auth0 must match role names that already exist in Omnium

User and Role Management via API

All users, roles, and permissions can also be managed via the Omnium API. This allows full programmatic control and can be used to integrate with external IAM or HR systems for automated user and role management.

API documentation: https://apitest.omnium.no/documentation/index.html#/Users

You can:

  • Create, update, or deactivate users
  • Assign or remove roles
  • Manage linked roles and permissions
  • Integrate with external IAM or HR systems for automated provisioning

Tip: On each user object, roles are represented as a flat list of strings under the Roles property. Market and store roles follow naming conventions:

  • Market roles: prefixed with market-
  • Store roles: prefixed with store-

Security Model

Authentication and authorization are handled separately in Omnium.

  • User authentication is performed by your identity provider (for example, Entra ID or Auth0) using OpenID Connect.
  • Omnium manages authorization internally and evaluates what each role can access.
  • Roles define access to specific functionality, stores, markets, and other entities in the Omnium domain model.
  • These roles can be created and managed in Omnium, while the assignment of users to roles can be automated through Entra ID or Auth0.
  • When using Azure AD B2C, role assignment and access control are managed entirely inside Omnium.
  • There are no additional credentials or provisioning endpoints — all access is controlled through your IdP and Omnium itself.

For details about role configuration and granular access rights, see
Roles, access rights, and users.

Note: If you are interested in setting up SSO for your organization, please contact Omnium Support and we’ll help you with the configuration.

Previous

Automatic User Management with SCIM 2.0 (beta)

Next

Newsletter

On this page