Federated Single Sign-On (SSO)

Overview

Single Sign-on (SSO) feature enables users to log in to Algonomy applications using the credentials (username & password) maintained in their corresponding corporate user directory. This eliminates the need to remember a separate set of credentials managed by Algonomy to access Algonomy Apps. Algonomy’s Omnichannel Personalization Cloud still supports native authentication using the Algonomy provisioned user credentials.

Algonomy supports Federated SSO via two industry standard protocols, namely, Open ID Connect (OIDC) and Security Assertion Markup Language (SAML). The following sections provide details on how Single Sign-on can be set up for your specific corporate user directory for the sites that are configured for you on Algonomy Apps.

Note: SSO requires new configurations to be created at your respective Identity Provider and corresponding set up needs to be done at Algonomy Identity Service. Contact your Algonomy Support Team or Personalization Consultant for more details.

Currently, Algonomy supports the following Identity Providers for Federated SSO activation:

  • Microsoft Azure Active Directory

  • Ping Identity

  • Google Identity

  • Okta

OAuth 2.0/OpenID Connect (OIDC) SSO

OAuth (Open Authorization) is an open standard for token-based authentication and authorization that provides SSO. OIDC is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or Identity Provider (IdP), as well as, to obtain basic profile information about the end user in an interoperable and REST-like manner. OIDC specifies a RESTful HTTP API, using JSON as a data format.

Why should I adopt OIDC for my app?

OIDC is easier to integrate than SAML and can work with a wider variety of apps. Specifically, it provides:

  • Easily consumed identity tokens: Client apps receive the user’s identity encoded in a secure JSON Web Token (JWT) called the ID token. JWTs are elegant, portable and support a range of signature and encryption algorithms.

  • The OAuth 2.0 protocol: Clients use OAuth 2.0 flows to obtain ID tokens, which work with web apps as well as native mobile apps. OAuth 2.0 also means that you have a single protocol for authentication and authorization (obtaining access tokens).

  • Simplicity with capability: OIDC is simple enough to integrate with basic apps, offering features and security options that meet demanding enterprise requirements.

OIDC User Authentication Flow

Federated SSO Configuration with OIDC

Configuring OIDC in Okta

To create OIDC app in Okta:

  1. On the Admin Console of Okta, go to Application, and select Create App Integration.

    Note: For information on how to create OIDC app integrations with Okta, see Create OIDC app integrations.

  2. Specify the below values for Uniform Resource Identifiers (URIs):

    • Sign-in redirect URI: https://rrsso.onelogin.com/access/idp

    • Sign-out redirect URI: https://rrsso.onelogin.com/access/idp

    • Initiate login URI: https://rrsso.onelogin.com/access/initiate

  3. Create custom user attributes defaultSiteId and siteLevelRoles, and map the same as a custom claim.

    Note: For information on how to create custom user attributes, see Add custom attributes to an Okta user profile. For information on how to add a custom claim to a token, see Add a custom claim to a token.

  4. Ensure that Userinfo API (/oauth2/v1/userinfo) response with siteLevelRoles attribute looks like the below response:

Copy 
{
"sub": "00u5wykpuwawUHrOX5d7",
"name": "testuser",
"locale": "en_US",
"email": "test@123.com",
"preferred_username": "test@123.com",
"given_name": "test",
"family_name": "test2",
"zoneinfo": "America/Los_Angeles",
"updated_at": 1658815576,
"email_verified": true,
"siteLevelRoles": "Site1:Role1,Site2:Role2"
}

Note: The siteID mapped in this configuration should be the siteID assigned to you/your organization and Roles should be the Omnichannel Personalization Roles that are to be assigned to your users. For more information on Roles and Permissions supported by Algonomy, see Personalization Cloud: Roles and Permissions. Contact your Algonomy Support Team or Personalization Consultant to get this information.

  1. Share the following values with your Algonomy Support Team or Personalization Consultant to configure the OIDC activation from Algonomy side.

    • Client ID and Client secret

    • authorization_endpoint

    • token_endpoint

    • userinfo_endpoint

    • revocation_endpoint

    • callback_endpoint

    • jwks_url

    • issuer_url

Configuring OIDC in Ping Identity

To create OIDC app in Ping Identity:

  1. On the PingOne MFA console, go to Connections and select Applications.

    Note: For information on how to create OIDC app in Ping Identity MFA console, see Creating an OIDC application in PingOne.

  2. Share the following values with your Algonomy Support Team or Personalization Consultant to configure the OIDC activation from Algonomy side.

    • authorization_endpoint

    • token_endpoint

    • userinfo_endpoint

    • revocation_endpoint

    • callback_endpoint

    • jwks_url

    • issuer_url

  1. Under Edit configuration section, select Token Endpoint Authentication Method, and choose Client Secret Post.

    IMPORTANT: You need to share the Client ID and Client secret with your Algonomy Support Team or Personalization Consultant to configure the OIDC activation from Algonomy side.

  2. In the Grant Type section, select only Authorization Code.

  3. In the Redirect URL field, enter https://rrsso.onelogin.com/access/idp

  4. In the Initiate login URL field, enter https://rrsso.onelogin.com/access/initiate

  5. Grant the following scopes (as shown in the image below) to the openid email profile.

Configuring attribute mappings

Perform the following actions to configure attribute mappings:

  1. Go to Edit Attribute Mappings.

  2. Click on the settings icon corresponding to the attribute siteLevelRoles and specify an expression in the following format: “siteId:Role1, siteID:Role2.” This is how Algonomy understands which Roles should be mapped to each customer user.

Note: The siteID mapped in this configuration should be the siteID assigned to you/your organization and Roles should be the Omnichannel Personalization Roles that are to be assigned to your users. For more information on Roles and Permissions supported by Algonomy, see Personalization Cloud: Roles and Permissions.

Configuring OIDC in Microsoft Azure

To create OIDC app in Microsoft Azure:

  1. On the Azure portal, search for Azure Active Directory.

  2. Go to Manage, and select App registrations.

  3. Select New registration, and provide a name.

    Note: For information on how to create OIDC app in Azure portal, see Configure an OpenID Connect provider for portals with Azure AD.

  4. Enter the below URL in the Redirect URL field:

    https://rrsso.onelogin.com/access/idp

    Note: You need to set Authorized redirect URIs.

  5. Note down the Client ID and Client secret and share this with your Algonomy Support Team or Personalization Consultant to configure the OIDC activation from Algonomy side.

  6. Note down the below URLs from Endpoints view and share this with your Algonomy contact:

    • OAuth 2.0 authorization endpoint (v2)

    • OAuth 2.0 token endpoint (v2)

  7. Open OpenID Connect metadata document URL on your browser and note down the following URLs, which needs to be shared with your Algonomy contact.

    • issuer URL

    • user info Endpoint URL

  1. As part of the userinfo Endpoint, pass a custom attribute siteLevelRoles in your response in the following format: “siteLevelRoles": "SiteID:Role1,Site2:Role2". This is how Algonomy understands which Roles should be mapped to each customer user.

Note: The siteID mapped in this configuration should be the siteID assigned to you/your organization and Roles should be the Omnichannel Personalization Roles that are to be assigned to your users. For more information on Roles and Permissions supported by Algonomy, see Personalization Cloud: Roles and Permissions.

  1. To support IdP initiated login, initiate login URI: https://rrsso.onelogin.com/access/idp?iss={URL encoded value of Issuer, URL from step #5 above}

Configuring OIDC in Google Identity

To create OIDC app in Google Identity:

  1. On the Google API Console, obtain new credentials.

    Note: While creating new credentials, a name needs to be provided. For information on how to create OIDC app in Google API Console, see OpenID Connect.

  2. Enter the below URL in the Redirect URL field:

    https://rrsso.onelogin.com/access/idp

    Note: You need to set Authorized redirect URIs.

  3. Note down the following values from your Google identity OIDC configuration and share these values with your Algonomy Support Team or Personalization Consultant to configure the OIDC activation from Algonomy side.

    • Client ID and Client secret

    • authorization_endpoint [Refer here for more details]

    • token_endpoint

    • userinfo_endpoint

    • revocation_endpoint

    • callback_endpoint

    • jwks_url

    • issuer_url

  1. As part of the userinfo Endpoint, pass a custom attribute siteLevelRoles in your response in the following format: “siteLevelRoles": "SiteID:Role1,Site2:Role2". This is how Algonomy understands which Roles should be mapped to each customer user.

Note: The siteID mapped in this configuration should be the siteID assigned to you/your organization and Roles should be the Omnichannel Personalization Roles that are to be assigned to your users. For more information on Roles and Permissions supported by Algonomy, see Personalization Cloud: Roles and Permissions.