User Authentication Setup

FlightIQ can delegate user login to PingOne with OpenID Connect. This login application is separate from the worker application used by the backend for PingOne API calls.

Use this guide when FlightIQ is running in a mode that requires users to sign in.

What the Login App Does

The login app authenticates FlightIQ users in the browser. It does not perform backend API work. Backend API calls still use the worker app configured in Access & Authentication > Tenant Configuration.

The login app controls:

  • User sign-in.
  • Redirect back to FlightIQ.
  • OpenID Connect discovery.
  • Token validation.
  • User identity used by FlightIQ access checks.

What You Need

Collect these values from PingOne:

  • Auth Base URL, usually https://auth.pingone.com.
  • Login app client ID.
  • Login app client secret.
  • Redirect URI.
  • Scopes, usually openid.

FlightIQ derives the default redirect URI from the active app URL:

https://your-flightiq-host.example.com/auth/callback

For local development, the derived redirect URI is usually:

http://localhost:5173/auth/callback

Create or Identify the PingOne Login App

In PingOne, create or identify an application for user sign-in.

Recommended setup:

  1. Use a dedicated OpenID Connect application for FlightIQ users.
  2. Add the FlightIQ redirect URI to the app's allowed redirect URIs.
  3. Configure the app to issue the openid scope at minimum.
  4. Use your PingOne policies for SSO, MFA, and user access.
  5. Store the client secret securely.

Do not use the worker app as the login app. The login app is for interactive user authentication.

Configure FlightIQ

In FlightIQ, use either the startup Configure Tenant page shown when authentication settings are missing, or open Settings > Access & Authentication after the app is already running.

If you are already in the main app, open Settings and select Access & Authentication. Then:

  1. In User Authentication Settings (Login App), enter the Auth Base URL, client ID, redirect URI, client secret, and scopes.
  2. Click Save.
  3. Click Test Authentication Settings.

A successful test confirms FlightIQ can resolve the issuer, authorization endpoint, token endpoint, and JWKS URI.

When the startup setup page is shown, complete this login app section before relying on user sign-in.

Redirect URI Rules

The redirect URI in PingOne must exactly match the URI saved in FlightIQ.

Check:

  • Scheme: http vs https.
  • Hostname.
  • Port.
  • Path: /auth/callback.
  • Trailing slash behavior.

In production, use the public HTTPS URL users use to access FlightIQ.

Startup Behavior

When login is required, FlightIQ validates authentication settings at startup. If settings are missing or invalid, FlightIQ shows setup guidance instead of letting users enter a partially configured app.

Troubleshooting

Authentication Test Fails

Check:

  • Auth Base URL is correct for your PingOne region.
  • Client ID and secret belong to the login app.
  • Redirect URI is saved in PingOne.
  • Scopes are allowed by the login app.
  • The login app is enabled.

Login Redirect Fails

Check:

  • FlightIQ and PingOne use the exact same redirect URI.
  • Browser URL matches the configured production or development host.
  • HTTPS termination is configured correctly in production.
  • Cookies are not blocked by browser policy.

User Logs In But Cannot Access Data

User login confirms identity. Domain access still depends on PingOne roles, FlightIQ security mode, and the backend worker app permissions.

Check:

  • User assignments include the selected environment.
  • User roles allow the requested domain.
  • Worker app credentials can access the same domain.