OpenID Connect

Alma supports the OpenID Connect standard for authenticating users. This enables Alma to exchange authentication information with your institutional identity provider (IdP), allowing a single-sign-on for the institution’s users.
When a user attempts to log in to Alma, Alma redirects to the IdP and sends an authentication request. The IdP performs a single-sign-on check, and if the user is not logged in to the IdP, a login page is displayed (this is not the Alma login page, but the IdP login screen). After the user logs in, the IdP redirects back to Alma with a token that can be used to identify the user.

Checking the Alma users

The users that are authenticated by the IdP should also exist in Alma. They will usually be defined as external, as their information usually exists as part of the IdP and is synchronized in Alma on a regular basis.
These users in Alma MUST have an identifier, unique cross institution, that holds the information that was defined as a match point. This is in order to find them in Alma, after they were authenticated in the IdP.
In order to have that identifier, you need to make sure that during import and synchronization from the SIS system, the users have this identifier. See SIS for more details.

Activating authentication using OpenID Connect

In order to activate the authentication, the following steps should be done:

  1. Define an app in the IdP – see Defining an Auth0 app for example.
  2. Create integration profile in Alma – see OLH for more details.
  3. Define “Social/OpenID Connect” as an authentication option in PrimoVE.
  4. For authentication upon login to Alma (for staff users), use the following URL: <Alma base URL>/social. For example:, or for institution-specific domain names.