# Custom OIDC SSO

Use this guide when your provider supports OpenID Connect but is not listed as a preset.

{/* Screenshot placeholder: /docs/images/sso/providers/custom-oidc.png */}

## Provider setup

Create a confidential web application or OAuth2/OIDC client in your identity provider and add the Lettermint OIDC callback URL from the SSO guide as an allowed redirect URI.

The provider should support:

- authorization code flow,
- client ID and client secret,
- `openid`, `email`, and `profile` scopes,
- a discovery document, or separate authorization, token, and userinfo URLs.

## Lettermint setup

In the Lettermint SSO setup screen, choose **Custom OIDC** and enter:

| Field | Description |
|-------|-------------|
| Domain | The verified email domain that should use this provider. |
| Metadata URL | The provider `.well-known/openid-configuration` URL, when available. |
| Client ID | The OIDC client ID. |
| Client secret | The OIDC client secret. |

If no metadata URL is available, enter the authorization URL, token URL, and userinfo URL manually.

## References

- [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)