Single Sign-on with OpenID Connect

See also Configuring Single Sign-on with OpenID Connect.

When using Single Sign-on with OpenID Connect, Softadmin® delegates user authentication to an OpenID Provider. In OpenID terminology, Softadmin® plays the role of the relying party (RP), while the OpenID Provider serves as the Identity Provider (IdP).

By entrusting authentication to the IdP, Softadmin® simplifies user management and enables users to utilize the same login credentials as their organization's other systems.

User information

Upon a user's login, Softadmin® retrieves user data from the Identity Provider in the form of an id token.

Softadmin® verifies that the id token is trustworthy, checking cryptographic signatures, expiry, etc. However, as different integrations will use different claims to describe their users, Softadmin® relies on a system-unique stored procedure, as configured in the system setting SingleSignOnOpenIdConnectSignInProcedure to convert the claims in the id token into a row in the SoftadminApi.User table.

If sufficient information is not present in the id token, Softadmin® can be configured to perform an additional call to the IdP's UserInfo endpoint, where some servers will return additional data.

User permissions

User permissions can be controlled through:

  • The id token, where the IdP controls permissions.
  • Extra info from the UserInfo endpoint, where the IdP controls permissions.
  • Data from another integration, with the IdP just handling usernames.
  • Configuration via Softadmin menu items, with the IdP just handling usernames.

User access

Softadmin® relies on the Identity Provider to manage user access to the Softadmin® system. If this isn't feasible, the recommended approach is to:

  • Create a menu item that informs users they lack the required permissions to use the system. Include instructions on how to request permission.
  • Establish a guest user account with access solely to the aforementioned menu item.