Single Sign-On

OpenID Connect (OIDC) is a federated protocol that provides an identity layer that is built on OAuth 2.0. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server. OIDC is the only protocol we support.

Identity Provider (IDP) is an OAuth 2.0 authorization server that offers authentication as a service. It ensures the end-user is authenticated. E.g. Google, Ping, Azure, Okta, etc.

The End User, Identity Provider (IDP), and Application are the main participants.

User Flow:

  • End-user navigates to a predetermined login page (e.g. accounts.infosum.com/login/google).
  • This URL gets redirected to the IDP with a callback URL and a CSRF token.
  • The user attempts to log in, if successful, then will be sent to the callback URL with an access code.
  • The application checks the CSRF token for integrity and then uses the access token to get an ID and access token.
  • The access token is validated.
  • The ID token is used to get more detail about the user.
  • If the user exists, a session cookie is set, and they are redirected to the Application.
  • If the user does not exist, a login ID and a user profile is created. Then the above step is performed.

Implementation:

  1. Customer provides the name of their IDP/SSO provider to Infosum
  2. Infosum creates an ID connector on our end.
  3. Infosum provides the below information to customers:
      1. Redirect or Callback URL - This is where the IDP sends authentication responses.
      2. Login URL - Login page URL
  4. The customer needs to provide us with the following information:
      1. Client ID - This is obtained from the configuration page of your identity provider.
      2. Client secret - As above. This field is sensitive so be mindful when copying it around. The secret is encrypted in the database.
      3. Discover URI (also known as Discovery Document) - This is a URL that lists the configuration necessary for the identity provider to operate. This information is fixed at the location: https://<idp-hostname>/.well-known/openid-configuration, where <idp-hostname> is the hostname of IDP
      4. Email Domains - All email domains that customer wants to associate with their ID provider
      5. Image URL - This field is optional. If it is provided, then this image will appear on the sign-in page.
  5. Customer ID provider will be configured in the Infosum platform.

Note: Infosum doesn’t have a sandbox configuration for customer interactions. However, we are very happy to build a connector for the customer's sandbox account to support testing. Once everything works as expected, Infosum deletes the sandbox connector and creates the production one.