OpenID Connect (OIDC) is a federated protocol that provides an identity layer that is built on OAuth 2.0. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server. OIDC is the only protocol we support.
Identity Provider (IDP) is an OAuth 2.0 authorization server that offers authentication as a service. It ensures the end-user is authenticated. E.g. Google, Ping, Azure, Okta, etc. InfoSum currently supports only one IDP per company.
The End User, Identity Provider (IDP), and Application are the main participants.
- End-user navigates to a predetermined login page (e.g. accounts.infosum.com/login/google).
- This URL gets redirected to the IDP with a callback URL and a CSRF token.
- The user attempts to log in, if successful, then will be sent to the callback URL with an access code.
- The application checks the CSRF token for integrity and then uses the access token to get an ID and access token.
- The access token is validated.
- The ID token is used to get more detail about the user.
- If the user exists, a session cookie is set, and they are redirected to the Application.
- If the user does not exist, a login ID and a user profile is created. Then the above step is performed.
- Customer provides the name of their IDP/SSO provider to InfoSum
- InfoSum creates an ID connector on our end.
- InfoSum provides the below information to customers:
- Redirect or Callback URL - This is where the IDP sends authentication responses.
- Login URL - Login page URL
- The customer needs to provide us with the following information:
- Client ID - This is obtained from the configuration page of your identity provider.
- Client secret - As above. This field is sensitive so be mindful when copying it around. The secret is encrypted in the database.
- Discover URI (also known as Discovery Document) - This is a URL that lists the configuration necessary for the identity provider to operate. This information is fixed at the location: https://<idp-hostname>/.well-known/openid-configuration, where <idp-hostname> is the hostname of IDP
- Email Domains - All email domains that customer wants to associate with their ID provider
- Image URL - This field is optional. If it is provided, then this image will appear on the sign-in page.
- Customer ID provider will be configured in InfoSum platform.
Note: InfoSum doesn’t have a sandbox configuration for customer interactions. However, we are very happy to build a connector for the customer's sandbox account to support testing. Once everything works as expected, InfoSum deletes the sandbox connector and creates the production one.
The Single Sign-On (SSO) integration you can access is based on your InfoSum plan. This is because not all InfoSum Platform features come as standard - please contact firstname.lastname@example.org for details.
Enabling SSO for existing users
To enable SSO for existing Platform users who use username/password logins it is necessary to have their accounts deleted to be able to switch from username/password login to SSO. This is because migrating a user from one login method to another while maintaining their account is not currently supported. All the Bunkers will be owned by the company when the account is deleted. However, you will need to recreate all the company roles/rights and any settings or feature flags once they re-register the new account using SSO.