In addition to the benefits of SSO, OpenID Connect provides advanced privacy configurations making it an ideal choice for an organization's customers to access applications that present a customer or consumer experience, such as a MindTouch site.
This solution is custom-configured for each client by MindTouch Professional Services. Elements and labels may differ from what is documented.
This solution became generally available April 5, 2019 and is only implemented by request for each MindTouch site.
- Open Authorization (OAuth 2.0) is a standard for token-based authentication and authorization which allows an end user's account information to be used by third-party services. OAuth 2.0 is the foundational technology for OpenID Connect.
- OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user.
- An identity provider (IdP) is a service for creating, managing and storing a user‘s authentication credentials (username, password, group assignments, roles, etc.)
- The relying party (RP) is the application the user wants to authenticate with OpenID Connect (for example, MindTouch).
- An authorization code flow is a MindTouch supported OpenID Connect authentication flow that allows a user to approve the user identity data that will be sent to MindTouch.
- An implicit flow is a MindTouch unsupported OpenID Connect authentication flow that exposes access tokens directly to a user’s web browser.
Why is OpenID Connect recommended for authentication?
- Security: OpenID Connect provides a single point of authentication for users at a secure IdP. User credentials are never transferred between MindTouch and the IdP, minimizing potential breach points.
- Privacy: Users can view and consent to what identity information is being transferred from an IdP to the application. Users can also be presented with privacy policies or terms of service agreements, before agreeing to sign in to an application.
- Platform neutrality: The OpenID Connect protocol interoperates with any system independent of implementation, reducing interoperability issues associated with vendor-specific approaches.
- Reduced administrative costs: The burden of authenticating users across multiple applications is transferred to the IdP with a single act of authentication, reducing the account management costs.
Risk transference: OpenID Connect can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.
- A valid TLS/SSL certificate installed on your MindTouch site
- Administrative access to your identity provider (IdP)
- Working knowledge of Supported OpenID Connect flows
OpenID Connect sessions cannot occur behind existing VPN or IP-restrictions, if enabled for your MindTouch site.
Collect information from your identity provider
To configure a basic OpenID Connect integration, you will need the following information from your IdP:
- Additional (Custom) Claims (optional): Any custom identity token claims to save with the user's profile on the MindTouch site.
- Client ID (required): The unique identifier for the MindTouch site as a relying party.
- Client Secret (required): The secret passcode to establish trust between the IdP and the MindTouch site (this secret should not be shared over any public channel).
- IdP Authorize URL (required): The endpoint that will receive the MindTouch site's authorization code request.
- IdP Issuer (required): The unique identifier for the identity provider.
- IdP JSON Web Key Set (JWKS) URL (recommended): The endpoint that will provide the MindTouch site with public keys to verify a signed identity token. If not supplied, a JWKS document (containing a key, key type, and verification algorithim) can be provided. However, JWKS security best practice recommends rotating keys regularly.
- IdP Logout URL (recommended): The endpoint that will receive the MindTouch site's sign out request.
- IdP Token URL (required): The endpoint that will receive the MindTouch site's identity token request.
- IdP UserInfo URL (recommended): The endpoint that will provide the MindTouch site with verbose user identity data, if not present in the identity token.
- Scopes (recommended): The MindTouch site will use identity token claims to enrich an authenticating user's profile on the MindTouch site. It is recommended that these claims are scoped so the user can understand what identity data they are sharing with the MindTouch site, and consent to the identity data transfer. The MindTouch site will include these scopes when redirecting users to the IdP Authorize URL.
Contact your Customer Success Manager to discuss OpenID Connect integration services. Based on the complexity of your integration, you may need to only supply the IdP data described above, or you may work with them on more advanced integrations. The latter may require more involvement with your IdP maintainer or vendor, and additional information.