StatusPage.me Help Center

Popular topics: creating a status page, connecting monitors, automatic incidents, custom domains, integrations and billing.

StatusPage.me Mar 23, 2026 Status Pages

Restrict Access with a Generic OIDC Provider

Generic OIDC authentication lets you connect any standard OpenID Connect provider to your private status page. This includes Okta, Auth0, Keycloak, Ping Identity, and any other provider that supports the OIDC discovery document standard.

Visitors click Sign in with SSO, are redirected to your identity provider, and return to the status page after a successful authentication.

Prerequisite: Private status pages are available on paid plans. OIDC authentication is one of the access methods within private mode. See Private Status Pages for an overview of all access methods.

How It Works

  1. A visitor arrives at your private status page and sees the gate page
  2. They click Sign in with SSO
  3. They are redirected to your OIDC provider’s login page
  4. After authentication, the provider redirects back with an authorization code
  5. The platform exchanges the code for an ID token and validates it using the provider’s JWKS
  6. If valid, the visitor is admitted for 1 hour

The platform fetches the OIDC discovery document from {issuer}/.well-known/openid-configuration to locate the authorization and token endpoints automatically.

Prerequisites

  • A paid StatusPage.me plan
  • Access to your identity provider’s admin console to create an application
  • Your status page must have Private Mode enabled

Step 1 — Create an Application in Your Identity Provider

In your identity provider, create a new Web application (OAuth 2.0 / OIDC). The exact steps vary by provider — see the provider-specific notes below.

Set the redirect URI to:

https://<your-status-page-url>/auth/oidc/callback

Examples:

  • https://acme.statuspage.me/auth/oidc/callback
  • https://status.acme.com/auth/oidc/callback (if using a custom domain)

After creating the application, collect:

  • Issuer URL — the base URL of your provider
  • Client ID
  • Client Secret

Provider-specific notes

ProviderIssuer URLNotes
Oktahttps://your-org.okta.comUse the Okta domain (not the admin URL)
Auth0https://your-tenant.auth0.comUse the tenant domain
Keycloakhttps://your-host/realms/your-realmInclude the realm in the path
Azure AD (OIDC)https://login.microsoftonline.com/{tenant-id}/v2.0Works as an alternative to the native Azure AD method

Step 2 — Configure in StatusPage.me

  1. Go to your status page Settings → Access
  2. Make sure Private Status Page is toggled on
  3. Click Access Settings
  4. Expand Generic OIDC
  5. Toggle Enable Generic OIDC authentication on
  6. Enter the Issuer URL, Client ID, and Client Secret
  7. Click Save Access Settings, then Save Settings

The platform automatically fetches the discovery document and validates tokens using the provider’s published JWKS — no additional configuration required.

Step 3 — Test the Flow

  1. Open your status page in a private/incognito browser window
  2. You should see the gate page with a Sign in with SSO button
  3. Click it and complete the login at your identity provider
  4. After authentication, you should land on your status page

Restricting by Email Domain

After any OIDC login, you can further restrict access by email domain using the Allowed Email Domains setting. For example, if your OIDC provider allows multiple organisations, you can restrict to @yourcompany.com only.

Configure this in Access Settings → Allowed Email Domains. See Private Status Pages for details.

Troubleshooting

“Sign in with SSO” button does not appear

  • Confirm Generic OIDC is toggled on and settings are saved
  • Confirm all three fields (Issuer URL, Client ID, Client Secret) are filled in

“Authentication failed. Please try again.”

Common causes:

  • The Client Secret is incorrect or not saved
  • The Redirect URI in your identity provider doesn’t match the one used by the platform
  • The Issuer URL is incorrect — ensure it’s the base issuer URL without a trailing slash or path (unless required by your provider, e.g. Keycloak realms)

“Issuer mismatch” or “Audience mismatch” error

  • The Issuer URL must match the iss claim in the ID token exactly (no trailing slash differences)
  • The Client ID must appear in the aud claim of the ID token

Discovery document not found

The platform tries to fetch {issuer}/.well-known/openid-configuration. If this URL is not reachable or returns an error, configuration will fail. Verify the issuer URL is correct and publicly accessible.

“OAuth state is invalid or expired. Please try again.”

The sign-in flow took too long or the browser state was lost. Ask the visitor to try again from the gate page.

What’s Next?

Was this article helpful?

Share this article:

On this page

Loading table of contents...

Related Articles
Status Page Settings Guide

Customize your status page appearance, behavior, and features.

Managing Components and Component Groups

Organize your services with components and groups for a clear status page.

Connecting a Custom Domain

Use your own domain (like status.yourcompany.com) for your status page.

Private Status Pages

Restrict access to your status page so only authorised visitors can view it.

Branding Your Status Page

Add your logo, colors, and personalize your public status page.