Authentication (SSO)

Asserts uses OAuth2 and OIDC for Single Sign On (SSO). For users with the Owner role, this configuration can be found in the Asserts Settings page. Note that SSO is not available with a Freemium license

OAuth2 Config Screen

Once on the OAuth2 Config screen, we can set the configuration properties.

The properties include:

Provider Name - The name of the provider defined by you. This is just used for reference and a mapping to an associated sign in button graphic. Current included button graphic names are: Google, Okta, Apple, OneLogin
Provider ID - The unique identifier of this IDP defined by you
Client ID - Unique ID created within the IDP
Client Secret - Unique secret created within the IDP
Authorize Endpoint - IDP authorization endpoint
Token Endpoint - IDP token endpoint
User Info Endpoint - Optional IDP endpoint for user profile information
Logout Endpoint - An optional logout template URL following the OpenID logout spec
- The URL template you provide must include a value for the id_token_hint parameter defined in the spec. This is done through the template binding of {id_token}
Grant Type - The grant type(s) for this IDP (generally authorization_code)
Scope - Space separated scope fields defined by the IDP to be able to access the user profile as well as name & email
Endpoint Auth Scheme - Either POST or BASIC depending on the IDP
Parameters - the parameters required by the IDP to support an id auth & refresh token
- Includes response_type: code plus any other IDP specific parameters

User Profile Fields

When available, Asserts will query the IDP user info endpoint to build the user profile. There are several user profile fields in Asserts and these properties may be referenced with different key names in the IDP. Therefore, we have built a mapping mechanism for these fields. For the following properties, enter the corresponding key value for the user info response.

The Asserts properties are as follows:

Name - The user's full name (required)
Email - the user's email address (required)
Picture - The user's profile picture
Provider ID - The unique ID of the user in the IDP
Locale - The user's locale
Hosted Domain - The hosted domain to which this user belongs

Verified IDPs

At Asserts we have verified the SSO flow for the following IDPs. Also included are the proper properties for Grant Type, Scope, Parameters and User Profile mappings

Provider	Fields
Apple	name: Apple grant_type: authorization_code scope: openid params: response_type: code User Profile name: name email: email
Auth0	name: Auth0 User Profile name: name email: email: locale: locale picture: picture providerUserId: sub params response_type: code scope: openid email profile offline_access name picture grant_type: authorization_code
Google	name: Google User Profile name: name email: email locale: locale picture: picture hostedDomain: hd providerUserId: sub params prompt: consent access_type: offline response_type: code scope: openid email profile grant_type: authorization_code
Microsoft	name: Microsoft User Profile name: name email: email picture: picture providerUserId: sub params: response_type: code scope: openid email profile offline_access grant_type: authorization_code
Okta	name: Okta User Profile name: name email: email locale: locale picture: profile providerUserId: preferred_username params: response_type: code scope: openid email profile offline_access grant_type: authorization_code
OneLogin	name: OneLogin grant_type: authorization_code scope: openid name profile groups email params phone params: response_type: code User Profile name: name email: email locale: locale picture: profile providerUserId: preferred_username
PingOne	name: PingOne grant_type: authorization_code scope: openid name profile email phone address params: response_type: code User Profile name: name email: email locale: locale picture: profile providerUserId: preferred_username

Provider

Fields

Apple

name: Apple
grant_type: authorization_code
scope: openid
params:
- response_type: code
User Profile
- name: name
- email: email

Auth0

name: Auth0
User Profile
- name: name
- email: email:
- locale: locale
- picture: picture
- providerUserId: sub
params
- response_type: code
scope: openid email profile offline_access name picture
grant_type: authorization_code

Google

name: Google
User Profile
- name: name
- email: email
- locale: locale
- picture: picture
- hostedDomain: hd
- providerUserId: sub
params
- prompt: consent
- access_type: offline
- response_type: code
scope: openid email profile
grant_type: authorization_code

Microsoft

name: Microsoft
User Profile
- name: name
- email: email
- picture: picture
- providerUserId: sub
params:
- response_type: code
scope: openid email profile offline_access
grant_type: authorization_code

Okta

name: Okta
User Profile
- name: name
- email: email
- locale: locale
- picture: profile
- providerUserId: preferred_username
params:
- response_type: code
scope: openid email profile offline_access
grant_type: authorization_code

OneLogin

name: OneLogin
grant_type: authorization_code
scope: openid name profile groups email params phone
params:
- response_type: code
User Profile
- name: name
- email: email
- locale: locale
- picture: profile
- providerUserId: preferred_username

PingOne

name: PingOne
grant_type: authorization_code
scope: openid name profile email phone address
params:
- response_type: code
User Profile
- name: name
- email: email
- locale: locale
- picture: profile
- providerUserId: preferred_username

IDP Configuration

To allow Asserts access to your IDP you must configure an authorized origin and redirect URI at a minimum. In addition, your IDP may support direction to a login and/or logout URI.

The values you should use are as follows:

authorized origin - http(s)://<your Asserts hostname>
redirect URI - http(s)://<your Asserts hostname>/authorized
login URI - http(s)://<your Asserts hostname>/login
logout URI - http(s)://<your Asserts hostname>/logout

Sample Google IDP Configuration

PreviousGlobal Settings NextUser Roles

Last updated 9 months ago