Configuring Single Sign-on with OpenID Connect

See Single Sign-on with OpenID connect for a more general overview.

When using Open ID Connect sign in, the Softadmin® system will take the role of the relying party (or RP), and the Open ID Provider (or OP) will take the role of the identity provider (or IdP).

In this document, Softadmin® will refer to the Softadmin® system to configure, and IdP will refer to the Open ID Provider.

Information that needs to be exchanged

The Softadmin® administrator will need these values from the Open ID administrator:

  • Metadata URL.
  • Client ID and Client Secret.
  • Which scopes other than openid to request, if any.

The Open ID administrator will need these values from the Softadmin® administrator:

  • Redirect URI

The Open ID administrator may need to know which flow Softadmin® uses, in which case the answer is always the code flow.

In addition, the two will may to agree on which claims should be passed to the Softadmin® system in the id_token.

Explanation of terms

Metadata URL

This is the URL from which Softadmin® downloads all information about the Open ID Provider, including which URLs its web services are reachable at, and which encryption keys it uses.

It usually ends with /.well-known/openid-configuration.

Client ID and Client Secret

Equivalent to username and password. These values are used by Softadmin® when it calls the Open ID Provider's web services.

Scopes

Scopes define the information about the end user, and possibly permissions other than information, that Softadmin® requests.

Softadmin® will always request the openid scope. Common additional scopes to request are email and profile, but you will need to ask the Open ID administrator which other scopes you should request.

Redirect URI

The redirect URI is where Softadmin® wants the Open ID provider to send users after they have authenticated themselves. It is case sensitive.

It usually ends with LoginPostback?op=xxxxxx where op is a unique ID that Softadmin® has assigned to the IdP.

id_token

A JSON token with user data that Softadmin® receives.

Configuring the Softadmin® system

Go to Admin -> Single Sign-on -> OpenID Connect.

Under the System settings tab

  1. Set SingleSignOn to OpenID Connect.
  2. SingleSignOnOpenIdConnectSignInProcedure to the name of the procedure that will receive the id_token.

Under the OpenID Identity Providers tab

  1. Create a new identity provider.
    1. Enter the metadata URL.
    2. Create new Credentials and store the client ID and client secret them. If you have not received them yet, put in some dummy values for now and update the credentials later.
    3. Fill in any extra scopes to request.
    4. Unless you'll be using multiple identity providers, mark this one primary.
  2. In the grid, copy the Postback URL column for your new identity provider. This is the redirect URI that the IdP needs.

Configuring the Identity Provider

Exactly how an IdP is configured depends on what software is used, but you will need to:

  1. Create client id and client secret for Softadmin.
  2. Configure the Redirect URI.

You may need to:

  1. Configure which scopes Softadmin has access to.
  2. Configure which claims to include in the id token.

Configuring networks

  • Softadmin® needs to reach the IdP.
  • The IdP does not need to reach Softadmin®.
  • End-users need to reach both Softadmin® and the IdP.