Configuring OpenID for Vendors
Read below to learn how to configure SSO for the OpenID Connect standard.
Configure OpenID in Frontegg Portal
Go to Environments ➜ [NAME OF ENVIRONMENT] ➜ Authentication ➜ SSO.
If you do not see SSO ➜ OpenID in the sidebar, make sure it is enabled and published to the environment.
After clicking the OpenID configure button, complete the form on the following page.
Redirect URL
If you are using the Hosted Login method, add the Redirect URL as https://[your-frontegg-domain].frontegg.com/oauth/account/oidc/callback i.e., https://acme.frontegg.com/oauth/account/oidc/callback?redirectUrl=https://app.acme.com
If you are using the Embedded Login method, add the Redirect URL as [your-application-url]/account/oidc/callback i.e., https://app.acme.com/account/oidc/callback
When using a custom domain
If you've configured a custom domain on Frontegg, use that domain instead of the
your-frontegg-domain, and it should be as well followed byoauth/account/oidc/callback.
Allow your customers to apply the connection or apply it for them
After configuring OIDC in the Frontegg Portal, you can allow your end users either to apply the SSO connection via the Self-service or apply the connection details from their IDP on their behalf, via the Backoffice ➜ Accounts ➜ Account ➜ Actions SSO ➜ Configurations.
Enable SSO Tab in the Admin portal
For enabling the SSO tab in the Self-Service for your end users:
Admin portal integration
Make sure that you have integrated the Admin portal into your application as described in (doc:react-self-service).
After the SSO tab is enabled, your customers can follow the instructions for adding the details of the connection from the IDP - here.
For OpenID there is no option to map roles to groups from the Self-Service UI (Admin portal). It can be applied only via APIs or the Backoffice.
Apply the connection from the Environment's Backoffice
For applying the SSO connection on behalf of your customers, you can use the back office or do it by using our APIs.
Customer Configuration
If OpenID Connect is enabled and configured an end user can configure an OIDC connection and allow other users to sign in to their account using OpenID Connect.
Below is an example with Okta.
STEP 1: Create a New OpenID Application
Create a new OpenID Connect application with Okta that you can use as the Identity Provider for users.
STEP 2: Find Admin Portal
Go to the Admin Portal ➜ SSO
STEP 3: Configure IDP
Choose Open ID Connect as IDP method and copy the Redirect URI.
Use the Redirect URI from the Admin portal as Sign-in redirect URIs on Okta:
Get the Client ID and secret from your Okta application and insert them in the Admin portal OpenId configuration.
OpenID Connect parameters overview:
| Configuration | Description |
|---|---|
| Issuer URL | This is a URL that is given by the IDP. This URL provides instructions on how to communicate with the IDP. If you are unsure you have the right URL, insert in in the issues URL field and it will be validated automatically. |
| Client ID | The clientId is given by the IDP. This allows the IDP to identify who is requesting to authenticate. |
| Secret Key | The secret key allows authentication with the IDP to validate the user who tries to log in. It must correspond to the secret key inserted for the clientId. |
| Redirect URI | This is a pre-configured value that lets the IDP know where it should return the user after the user is authenticated within the IDP. The redirect URI value must be configured in the IDP itself. |
STEP 4: Claim Domain
After configuring the identity provider, you will need to claim one or more domains for the account. This step is required in order to avoid abuse of a domain.
The domain needs to be claimed by copying the TXT record and applying it to your DNS provider. If you cannot obtain access to your organization's DNS, please contact your application Administrator.
You can configure multiple domains for an account. This can be useful if you're using multiple environments for development or multiple production applications on separate domains and need the SSO connection to cover several domains.
STEP 5: Manage Authorization
Select which roles should be assigned to SSO users by default and map IDP groups to specific roles. Roles you assign to users through SSO will apply regardless of whatever additional roles you assign to those users.
Default SSO Roles
Assign default roles to all SSO users by adding one or more Frontegg roles from your list of predefined roles.
STEP 6: Mapping Groups to Roles (Optional)
Mapping groups to specific roles with OpenID connect is currently possible for application owners via Frontegg APIs or by using Frontegg Backoffice.
Groups Role Mapping
Note that to enable group role-mapping, you are required to add a groups claim named
groupsin your SSO IDP.
Step 7: Save the SSO connection
Save the connection and make sure that it is enabled
That's it! Now all users with the domain that was configured for the connection, will be redirected to their IDP when they will try to sign in.
Additional resources
FAQs related to OpenID Connect SSO
Updated 10 months ago