SAP-docs · Yusuf-Uzun · Mar 17, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/docs/configuration-parameters-1830bca.md b/docs/configuration-parameters-1830bca.md
@@ -176,6 +176,28 @@ The time in days until data \(see [Ingest Observability Data](ingest-observabili
 <tr>
 <td valign="top">
 
+oidc
+
+</td>
+<td valign="top">
+
+No
+
+</td>
+<td valign="top">
+
+[oidc](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_oidc)
+
+</td>
+<td valign="top">
+
+Configures the OIDC Integration to authenticate in dashboards.
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
 saml
 
 </td>
@@ -186,7 +208,7 @@ No
 </td>
 <td valign="top">
 
-[saml](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_nrv_sjx_jzb) 
+[saml](configuration-parameters-1830bca.md#loio1830bca1b060484e9cfabc0e62472e8e__table_nrv_sjx_jzb)
 
 </td>
 <td valign="top">
@@ -488,6 +510,228 @@ Enables ingestion over the OpenTelemetry Protocol. Defaults to `false`. For more
 
 
 
+<a name="loio1830bca1b060484e9cfabc0e62472e8e__table_oidc"/>
+
+## Configuration Parameters for `oidc`
+
+Configuration options for OIDC Integration. For more information refer to [OIDC Integration](integrate-sap-cloud-identity-services-oidc.md).
+
+
+<table>
+<tr>
+<th valign="top">
+
+Name
+
+</th>
+<th valign="top">
+
+Required
+
+</th>
+<th valign="top">
+
+Type
+
+</th>
+<th valign="top">
+
+Description
+
+</th>
+</tr>
+<tr>
+<td valign="top">
+
+enabled
+
+</td>
+<td valign="top">
+
+Yes
+
+</td>
+<td valign="top">
+
+Boolean
+
+</td>
+<td valign="top">
+
+Set to `true` to enable OpenID Connect authentication.
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+admin\_group
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+String
+
+</td>
+<td valign="top">
+
+The OpenID group that you want to grant administrative access to. It will have permissions to modify the security module. Required if *enabled* is set to `true`.
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+roles\_key
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+String
+
+</td>
+<td valign="top">
+
+The key in the JSON payload that stores the user's roles. The value of this key must be a comma-separated list of roles. For example: `groups` or `roles`. Required if *enabled* is set to `true`.
+
+[OpenSearch docs: Configure OpenID Connect integration](https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+subject\_key
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+String
+
+</td>
+<td valign="top">
+
+The key in the JSON payload that stores the user's name. For example: `email` or `last_name`. Required if *enabled* is set to `true`.
+
+[OpenSearch docs: Configure OpenID Connect integration](https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+openid\_connect\_url
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+URL
+
+</td>
+<td valign="top">
+
+The URL of your IdP where the security plugin can find the OpenID Connect metadata/configuration settings. Usually ends in `/.well-known/openid-configuration`. Required if *enabled* is set to `true`.
+
+[OpenSearch docs: OpenID Connect URL](https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+openid\_client\_id
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+String
+
+</td>
+<td valign="top">
+
+The ID of the OpenID Connect client configured in your IdP. Required if *enabled* is set to `true`.
+
+[OpenSearch docs: OpenID Connect Configuration](https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+openid\_client\_secret
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+String
+
+</td>
+<td valign="top">
+
+The client secret of the OpenID Connect client configured in your IdP. Required if *enabled* is set to `true`.
+
+[OpenSearch docs: OpenID Connect Configuration](https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+openid\_scopes
+
+</td>
+<td valign="top">
+
+Required
+
+</td>
+<td valign="top">
+
+String
+
+</td>
+<td valign="top">
+
+The scope of the identity token issued by the IdP. Space-separated string list if more than one. For example: `"openid"`. Required if *enabled* is set to `true`.
+
+[OpenSearch docs: OpenID Connect Configuration](https://opensearch.org/docs/latest/security/authentication-backends/openid-connect/)
+
+</td>
+</tr>
+</table>
+
+
+
 <a name="loio1830bca1b060484e9cfabc0e62472e8e__section_m4y_p1n_lzb"/>
 
 ## Configuration Parameters for `saml`

diff --git a/docs/integrate-sap-cloud-identity-services-oidc.md b/docs/integrate-sap-cloud-identity-services-oidc.md
@@ -0,0 +1,125 @@
+# Integrate SAP Cloud Identity Services - Identity Authentication OpenID Connect with SAP Cloud Logging
+
+> ## Caution:  
+> Ensure that you consider the [SAP BTP Security Recommendation BTP-CLS-0001](https://help.sap.com/docs/btp/sap-btp-security-recommendations-c8a9bb59fe624f0981efa0eff2497d7d/sap-btp-security-recommendations?seclist-index=BTP-CLS-0001&version=Cloud).
+
+This explains how to integrate with SAP Cloud Identity Services - Identity Authentication OpenID Connect. It results in changes in the Identity Authentication tenant and a corresponding OIDC configuration to be used for creating or updating SAP Cloud Logging instances. Access to the Identity Authentication administration console as an administrator is a prerequisite.
+
+> ## Note:  
+> We recommend you integrate with Identity Authentication. You can also integrate with other OIDC providers, but there will be no support or documentation.
+
+> ## Note:  
+> You can reuse the resulting OIDC configuration for multiple instances of SAP Cloud Logging.
+
+
+
+## Obtain OpenID Connect IdP Information
+
+Obtain OpenID Connect Identity Provider \(IdP\) Information based on the [Identity Authorization guide](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/create-openid-connect-application). Use the console URL to access the tenant’s administration console for the Identity Authentication service. The URL has a `https://<tenantID>.accounts.ondemand.com/admin` pattern.
+
+-   Note down the `openid_connect_url` information as `https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration` 
+
+
+
+## Create an OpenID Connect application
+
+Create an OpenID Connect application in your Identity Authentication account based on the [Identity Authorization guide](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/create-openid-connect-application). Create OpenID client secrets based on the [Configuration Guide](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/auth-configure-secrets-for-api-authentication)
+
+
+
+## Configure the OpenID Connect application
+
+Go to *Applications & Resources*, choose *Applications*, and select your application from the list. Then perform the following steps to configure the OpenID Connect application within Identity Authentication:
+
+1.  [Configure a Self-Defined Attribute](https://help.sap.com/docs/identity-authentication/identity-authentication/user-attributes?version=Cloud) with *Name* "groups," *Source* "Identity Directory," and *Value* "All Groups."
+2.  [Configure Default Name ID Format](https://help.sap.com/docs/identity-authentication/identity-authentication/configure-subject-name-identifier-sent-to-application?version=Cloud) to *E-mail*.
+3.  Select *OpenID Connect Configuration* and *Configure Manually*.
+    -   This step can only be done after an SAP Cloud Logging instance has been created and has to be repeated for each new service instance.
+        -   Set `Redirect URI` to the OpenSearch Dashboards URL plus`/auth/openid/login`.
+        -   Set `Single Logout Endpoint`: Set binding to HTTP\_REDIRECT and the URL must be the OpenSearch Dashboards URL without any path.
+        -   To store the configuration, click *Save* .
+
+
+
+
+
+## Create a Group and Assign Users
+
+-   [Create a group](https://help.sap.com/docs/identity-authentication/identity-authentication/create-new-user-group) that you intend to use for administrative access to SAP Cloud Logging instances and provide the name of this group as the input value for `admin_group` during the OIDC configuration. This group gets administrative access in OpenSearch. It has permission to modify the security module.
+
+    > ## Note:  
+    > The login procedure forwards Identity Authentication group names to OpenSearch as backend roles. Backend roles can map to OpenSearch roles that grant permissions to the users assigned to the respective Identity Authentication groups. The configuration parameter `admin_group` is mapped automatically to the "all\_access" role
+
+-   [Add users to the group](https://help.sap.com/docs/identity-authentication/identity-authentication/add-users-to-group) who should have admin access. Users can be added or removed at any time.
+
+
+
+## Compose OIDC Configuration Parameters
+
+Compose OIDC configuration parameters to be used for service instance creation or updates:
+
+
+<table>
+<tr>
+<th valign="top">
+
+OIDC Configuration Template
+
+</th>
+<th valign="top">
+
+Parameterization
+
+</th>
+</tr>
+<tr>
+<td valign="top" rowspan="5">
+
+```
+"oidc": {
+    "enabled": true,
+    "roles_key": "groups",
+    "admin_group": "MY_ADMIN_ROLE",
+    "subject_key": "mail",
+    "openid_connect_url": "https://MY-OPENID-CONNECT-URL/.well-known/openid-configuration",
+    "openid_scopes": "openid",
+    "openid_client_id": "MY-CLIENT-ID",
+    "openid_client_secret": "MY-CLIENT-SECRET"
+  }
+
+```
+
+
+
+</td>
+<td valign="top">
+
+Set IdP information `openid_connect_url` \(e.g.: `https://myaccount.accounts.ondemand.com/.well-known/openid-configuration`\).
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+Set `openid_client_id` and `openid_client_secret` from the Create an OpenID Connect application step.
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+Set `admin_group` to the name of the group created in the Create a Group and Assign Users step.
+
+</td>
+</tr>
+<tr>
+<td valign="top">
+
+Optionally, set `openid_scopes` as a space-separated string list if more than one scope is required \(e.g.: `"openid profile address"`\).
+
+</td>
+</tr>
+</table>
+
+See [Configuring Applications](https://help.sap.com/docs/identity-authentication/identity-authentication/configuring-applications) in Identity Authentication Service.
+