WebsiteBlogLogin

Single Sign-On (SSO) with OpenID Connect

Note that you'll only see this section if you have Admin or Owner user permissions. Learn more about permissions in this article.

Overview

OpenID Connect (OIDC) is an open standard that provides user authentication features. It uses an external identity provider (IdP) to authenticate the user and enable single sign-on (SSO). It builds on top of OAuth 2.0, adding authentication capabilities to the authorization framework. Essentially, OIDC enables Single Sign-On (SSO) by delegating authentication to a trusted identity provider.

OpenID Connect satisfies requirements for identity and access in the following ways:

  • Authentication - The service provider agrees to trust the identity provider to authenticate users.

  • Authorization - Upon request, the identity provider generates an authentication assertion. This means that the user has been successfully authenticated, and the service provider can grant the user access to certain systems or content.

Enable Onum as a service provider

If you're an admin user, follow these steps to activate OpenID Connect authentication for the users in your tenant:

1

Open the global settings menu by clicking your user icon at the bottom left of the screen.

2

Click any of the options and select Authentication in the menu that appears.

3

Once there, click the Configure Single-Sign-On button.

4

In the window that appears, you must choose the required Grant type. The OAuth framework specifies several grant types for different use cases. You can choose between:

  • Code flow - This grant type is used to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

  • Implicit flow - The implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps, where the access token was returned immediately without an extra authorization code exchange step.

5

Then, you'll be prompted to enter the following information provided by your identity provider:

  • Client ID - This is the public identifier for your app.

  • Issuer (URL) - URL of the OpenID provider's authorization server.

  • Client secret - Secret used to authenticate your app. This will only be requested if you select the Code flow grant type.

6

Click Save once you're done. You'll be given the following URLs:

  • Home URL - This is the main entry point for the users in your tenant. This is where users will land after they log in, or where they’re redirected if they visit the app directly.

  • Callback URL - This is the endpoint that the OpenID provider redirects to after a user successfully logs in. It’s where Onum receives the authorization code needed to complete the login process.

Note that the Callback URL must be registered with the OpenID provider, or the login flow will be blocked for security reasons.

You have now set Single Sign-On authentication in your tenant. You can click Reset configuration if you did something wrong or need to update any information.

Sign in with Single Sign-On authentication

Once you have activated Single Sign-On authentication in your tenant, users will see a Sign in with SSO button in their Onum login screens.

They will need to enter the Tenant slug, which will redirect users to their identity provider and complete the login flow properly. This is the part that comes after sso= in the provided Home URL. Users must be given this slug so that they can log in using this method.

PreviousTwo-factor AuthenticationNextUsers

Last updated

Was this helpful?