OpenID
Overview
OpenID is an open standard that provides user authentication (identity) features and is built upon OAuth 2.0 flows. Like SAML, it uses an external identity provider (IdP) to authenticate the user and enables single sign-on (SSO). While there are several underlying technical differences between SAML and OpenID, the most important differences are that OpenID is a lighter-weight protocol and requires explicit user consent to access as part of its communication flows.
OpenID satisfies requirements for identity and access in the following ways:
Authentication - The user logs into the identity provider's server that, in turn, authenticates the user and generates a Token ID confirming the user's identity. This token ID is returned to the Devo Platform as an encrypted JSON web token.
Authorization - The request to the identity server includes a scope parameter that specifies the level of access to domain resources as dictated by the user's role in Devo.
Setting up OpenID user authentication
Go to the Authentication tab in Preferences → Domain Preferences.
In the OpenID tab, select the Active checkbox.
Below are the fields that you will see in the form. Once you generate the required values in your IdP and enter them in this form, click Update to finish the process. Users will now be able to login into their Devo domains using the IdP credentials:
Home URL | You will need to copy this for when you set up access on the IdP account, outside the Devo Platform. After setting up the Open ID authentication, users will access this URL and will be redirected to the IdP site to enter their credentials. |
---|---|
Client Id and Client secret | Credentials that Devo will use to authenticate API communications with the IdP server. These are generated by the IdP when you register Devo as an app in your IdP account. |
Identity provider URL | This is the secure HTTP URL where Devo needs to direct its requests for authorization (sometimes called the Authorization endpoint). You should copy this from your IdP account. |
Token URL | This is the secure HTTP URL where Devo needs to direct its requests for token IDs (sometimes called the Token endpoint). You should copy this from your IdP account. |
User provisioning | Select this checkbox if you want users not registered in the domain to be signed up when they enter their credentials for the first time. They will be assigned the No Privileges role. |
Example: Use Google as an IdP to set up OpenID
Follow these steps if you want users to log in to Devo using their Google credentials: