See also Configuring Single Sign-on with OpenID Connect.
When using Single Sign-on with OpenID Connect, Softadmin® delegates user authentication to an OpenID Provider. In OpenID terminology, Softadmin® plays the role of the relying party (RP), while the OpenID Provider serves as the Identity Provider (IdP).
By entrusting authentication to the IdP, Softadmin® simplifies user management and enables users to utilize the same login credentials as their organization's other systems.
User information
Upon a user's login, Softadmin® retrieves user data from the Identity Provider in the form of an id token.
Softadmin® verifies that the id token is trustworthy, checking cryptographic signatures, expiry, etc. However, as different integrations will use different claims to describe their users, Softadmin® relies on a system-unique stored procedure, as configured in the system setting SingleSignOnOpenIdConnectSignInProcedure to convert the claims in the id token into a row in the SoftadminApi.User table.
If sufficient information is not present in the id token, Softadmin® can be configured to perform an additional call to the IdP's UserInfo endpoint, where some servers will return additional data.
User permissions
User permissions can be controlled through:
- The id token, where the IdP controls permissions.
- Extra info from the UserInfo endpoint, where the IdP controls permissions.
- Data from another integration, with the IdP just handling usernames.
- Configuration via Softadmin menu items, with the IdP just handling usernames.
User access
Softadmin® relies on the Identity Provider to manage user access to the Softadmin® system. If this isn't feasible, the recommended approach is to:
- Create a menu item that informs users they lack the required permissions to use the system. Include instructions on how to request permission.
- Establish a guest user account with access solely to the aforementioned menu item.