Here is a Frequently Asked Questions page for SSO setup with Infosum

1. General SSO Information

Q: Which OIDC Authorization Flow does Infosum support?

A: Infosum supports the Authorization Code Flow with PKCE (Proof Key for Code Exchange). The specific code challenge method used is SHA256 (S256).

2. User Identification & Attributes

Q: What is the recommended primary attribute for user identification in Infosum? 

A: We usually recommend "email" as the primary attribute on the ID token. However, you can use "GlobalID" as the primary attribute, provided that "email" is also present on the token claim and matches the user's sign-in email.

Q: Why is the email address a required attribute for SSO? 

A: The email address is crucial because the Infosum platform may need to email the user for certain functions (e.g., account lockout notifications).

Q: What attributes/scopes are required for SSO setup? 

A: The required OIDC scopes are:

• openid: This scope is required to indicate that the application is using OpenID Connect.
• profile: Used to pre-populate the user's name in Infosum.
• email: Confirms the user's email for account association and is needed for potential platform communication.
• offline_access: Allows Infosum to issue users with both a short-lived access token and a refresh token. This enables Infosum to obtain new access tokens from your IDP without requiring the user to re-enter the full OAuth flow, verifying their account validity.

3. User Provisioning & Deprovisioning

Q: How does user provisioning work with SSO? 

A: User provisioning for Infosum is Just-In-Time (JIT). An account is automatically created on the Infosum platform when a new user successfully logs in through your SSO provider for the first time.

Q: Is there an automatic deprovisioning process (e.g., based on user inactivity)? 

A: No, there is no semi-automated deprovisioning (e.g., based on inactivity rules). Infosum removes or offboards users from the platform only at the explicit request of the client.

Q: How does manual user deprovisioning work? 

A: The manual deprovisioning process is as follows:

1. Customer Ownership/Visibility: Your company's "Owner" users (company administrators) have full visibility of all users in their company account and can manage roles/permissions.
2. Leaver Identification: The customer is responsible for identifying leavers or users whose access should be revoked (Infosum does not have visibility of customer HR events). Owners should periodically review the user list.
3. Deprovisioning Request: The Owner (or authorized customer contact) submits a de-provisioning request via the Infosum Support Portal (ticketed workflow), specifying the user(s) to disable/remove and any role updates required.
4. Access Removal: Infosum Support executes the change according to the request (disabling the user account and/or removing roles/permissions). Completion is confirmed in the support ticket.
5. Auditability/Governance: All actions are logged and ticketed for auditing purposes.

• Note: If a user's access to your SSO is revoked on your identity provider, they will no longer be able to log in to Infosum, even if their account isn't explicitly deleted on the Infosum side.

4. Impact of Switching to SSO & User Deletion

Q: Will existing users need to be recreated when we switch to SSO? 

A: Yes, any existing users within the Infosum platform will need to be deleted before SSO can be fully activated.

Q: What is the impact of deleting and recreating users when switching to SSO or deprovisioning?

 A:

• Collaborations, Audiences, Segments: Resources created within collaborations (e.g., activation queries, audiences, segments) are stored at a company level and will not be affected.
• Bunkers: Bunkers are also held at a company account level and will not be affected.
• Automations: Automations are stored at a user level and will need to be recreated if the user is deleted and subsequently re-provisioned via SSO.
• User Access: Once a user is deleted from Infosum or their access is revoked via your SSO, they will no longer be able to sign into the Infosum platform.

5. SSO Setup & Configuration Details

Q: What information does Infosum provide for SSO setup? 

A: Infosum will provide you with the following details when you are ready for implementation:

• Callback/Redirect URL
• Login URL

Q: What information do we need to provide to Infosum for SSO setup? 

A: You will need to supply Infosum with the following information:

• Client ID: This is obtained from the configuration page of your IDP.
• Client Secret: As this is sensitive information, we recommend using an open-source message encryption service that allows for one-time viewing of the message (e.g., YoPass or OneTimeSecret). Send the generated link to support@infosum.com and share the decryption key separately to sso.setup@infosum.com 
• OIDC Discovery URI: This is also known as the Discovery Document or OpenID Connect metadata document. It provides the necessary configuration details for the IDP to operate.

Q: Is a Client Secret required even when using PKCE?

A: Yes, Infosum requires a Client Secret even when using PKCE. Infosum uses both PKCE and a Client Secret as this combination enhances the overall security of the integration.