Skip to main content

What is OpenID Connect?

OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0. The specification can be found here.  The inSided Community OpenID Connect scheme supports Authorization Code Flow.

 

OpenID Connect flow representation

In order to understand how the OpenID Connect process integrates into the overall Community SSO architecture (i.e. Steps #1-3 in the diagram below) please see Single Sign-on (SSO): Getting Started.

jUIglgoNZWazBoexz4kB14QN-pV2uoj1gt6tmbwEe8U-38K5xXSQ3LbBIKafr3lEna431wUgXK97s5_pnGVV8ZKg8Zn9CILsd8bp9R4F0UJTTwCf3TrUiCiuhnqCwHymVYacfhzN

  1. Community redirects User to the Authorization URL with GET by attaching Redirect Uri and Client ID.

  2. Server authenticates the User and obtains consent/authorization.

  3. Server sends the User back to the Community Redirect Uri by attaching Authorization Code.

  4. Community requests a response with ID Token and Access Token in JSON format at the Token URL with POST(application/x-www-form-urlencoded) by attaching Authorization Code, Client ID, Redirect Uri and Client Secret as parameters.

  5. Community receives a response that contains an ID Token and Access Token in the response body.

  6. Community validates the ID Token and retrieves the user subject identifier or sub (later id).

  7. If User Info URL is configured Community requests a response with Profile data in JSON format at the User Info URL with GET by attaching Access Token as Authorization Bearer header.

After retrieving the minimal required id or more complete Profile dataCommunity starts #Step 3 of Community Single Sign-on.

Redirect Uri is generated by Community automatically

 

How to Configure OpenID Connect on inSided

 

Server

Set up an OpenID Connect compatible Server with the following endpoints:

  • Authorization Endpoint
  • Access Token Endpoint
  • (Optional) User Info Endpoint

Community (inSided) configuration

  1. Log in to Control as an Administrator
  2. Go to Integrations > SSO > Open ID
  3. Fill in the following fields:
    • Authorization URL*
    • Client ID*
    • Client Secret*
    • Issuer*
    • Token Url*
    • Scope
    • User Info Url
       Indicates required fields
  4. Press Install

Once you’ve installed your configuration, we recommend using the built-in inSided SSO testing tool before you enable SSO for end users, to make sure everything is working as expected.

 

The links to other articles on the Gainsight platform in this article are not working. Could someone please check them? @Kenneth R @Sudhanshu @Sebastian 

Also redirect_uri should be documented properly as we had some troubles with it while testing our SSO 😊


Reply