How to set up SSO?

The configuration process typically involves entering five configuration values specific to the system that is connected as the authentication provider into a dedicated form in the organization's administration panel. These values can be obtained from the administrator of the connected authentication system and include:
  • Authorization URL: the address of initiation of the authentication process.
  • Token URL: the API address to obtain a token.
  • User Info URL: the address at which the obtained token can be exchanged for user information.
  • Client ID and Client Secret: values assigned to the Autenti system in the system authentications that allow Autenti to identify itself in the connected system.
The meaning of all parameters is standard for the OpenID Connect protocol according to its specification. Connection in non-standard cases can also be made by adjusting the desired parameters of the user information scope provided to Autenti (the so-called scope) and the data presentation mechanism authenticating Autenti applications. However, typically, these values do not need to be changed.

During configuration, the connected authentication system should also configure the address redirect URL, i.e., the address to which the user's browser is redirected after authentication. The address value is given in the form field in a convenient way to copy. Additionally, if the connected system requires it, connections from the domain must be allowed. A sample configuration form (on the example of Okta) is shown below:
image (29)

Before saving the configuration, Autenti allows you to test it to check whether the settings are correct and the correct configuration has also been set in the connected system. This is crucial because a possible configuration error may cause an inability to log in (also for the administrator).

You should also verify that the email addresses of the users returned by the connected system correspond to the addresses configured for users in Autenti.

image_480 (1)

After successful configuration, inform users about the dedicated address for logging in using SSO and configure it (e.g., adding it to bookmarks) as the address for logging in to Autenti. This will allow you to redirect users automatically to an external authentication system without providing any data to Autenti.

For security reasons, it is impossible to authenticate a non-user of the organization. From the moment SSO is set up, the administrator of the connected SSO system decides which users can authenticate according to the capabilities of that system.
Hint for integration with Microsoft Azure:

Authorization URL to "authorization_endpoint":
Token URL to "token_endpoint":
User info URL to "userinfo_endpoint":