OpenID Connect (OIDC) is a federated protocol that provides an identity layer that is built on OAuth 2.0. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server. OIDC is the only protocol we support.
Identity Provider (IDP) is an OAuth 2.0 authorization server that offers authentication as a service. It ensures the end-user is authenticated. E.g. Google, Ping, Azure, Okta, etc.
The End User, Identity Provider (IDP), and Application are the main participants.
User Flow:
- End-user navigates to a predetermined login page (e.g. accounts.infosum.com/login/google).
- This URL gets redirected to the IDP with a callback URL and a CSRF token.
- The user attempts to log in, if successful, then will be sent to the callback URL with an access code.
- The application checks the CSRF token for integrity and then uses the access token to get an ID and access token.
- The access token is validated.
- The ID token is used to get more detail about the user.
- If the user exists, a session cookie is set, and they are redirected to the Application.
- If the user does not exist, a login ID and a user profile is created. Then the above step is performed.
Implementation:
- Customer provides the name of their IDP/SSO provider to Infosum
- Infosum creates an ID connector on our end.
- Infosum provides the below information to customers:
-
- Redirect or Callback URL - This is where the IDP sends authentication responses.
- Login URL - Login page URL
-
- The customer needs to provide us with the following information:
-
- Client ID - This is obtained from the configuration page of your identity provider.
- Client secret - As above. This field is sensitive so be mindful when copying it around. The secret is encrypted in the database.
- Discover URI (also known as Discovery Document) - This is a URL that lists the configuration necessary for the identity provider to operate. This information is fixed at the location: https://<idp-hostname>/.well-known/openid-configuration, where <idp-hostname> is the hostname of IDP
- Email Domains - All email domains that customer wants to associate with their ID provider
- Image URL - This field is optional. If it is provided, then this image will appear on the sign-in page.
-
- Customer ID provider will be configured in the Infosum platform.
Note: Infosum doesn’t have a sandbox configuration for customer interactions. However, we are very happy to build a connector for the customer's sandbox account to support testing. Once everything works as expected, Infosum deletes the sandbox connector and creates the production one.