OpenId Connect

Owned by Former user (Deleted)
Last updated: 2022-06-29 by Henning Støverud
2 min read

This page is under construction

OpenId Connect (OIDC) is our recommended protocol for setting up SSO, ahead of SAML2p. This page contains a general guide on how to set up single sign on using OpenId Connect.

If you are using Azure AD as your identity provider, we recommend using our Talentech app in the Azure app gallery, which will give a simpler setup process. The Azure AD guide can be found here.

Before you start following this guide, you should check if we have a more specific guide for your identity provider of choice in the section Provider specific guides.

Configuration

SSO is a paid service, so to get started please get in touch with your Talentech contact person or contact sso-setup@talentech.com.

Our implementation consultants need to know the following bits of information:

  1. Your identity provider’s OpenIdConnect discovery document URL, typically found at
    https://your-idp-authority/../.well-known/openid-configuration

  2. A set of client ID and client secret that will be used to authenticate Talentech ID with your identity provider.

Once we get these pieces of info, we will create a configuration and send you the following urls, which need to be whitelisted in your system:

  1. Redirect URL

  2. Post logout redirect URL

Testing

Once the setup is complete, the configuration can be tested. This will be done without affecting any of your active users.

We will send you a link that you can use to verify that the configuration is working correctly. This will trigger the login process by redirecting you from Talentech ID to your identity provider. Once you sign in, you’ll be redirected back to Talentech ID where you’ll be shown a test report (see screenshot 1).

If the test report indicates that everything works correctly, we can safely enable the SSO login option for all your users. This can be done at a time that suits you.

Screenshot 1 - Test login report summary

 

Provider specific guides

We currently have the following provider specific setup guides available. These which describe how to set up the SSO configuration in your identity provider:

Azure AD Generic OIDC Setup Guide

Okta OIDC Setup Guide

Frequently asked questions

Question:

Which OIDC flows are you currently supporting?

Answer:

We currently support the following OIDC login flows:

  • Authorization Code + PKCE (strongly recommended)

  • Implicit flow

 

Question:

Which claims are required

Answer:

We need the email address and a unique external identifier for the user. Full name and External tenant Id are also recommended.

 

Supported claim name

Description

 

Supported claim name

Description

External user id

(required)

sub

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

This value must be unique for each user in your organization and should never change

Email

(required)

email

preferred_username

upn

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

The email address of the user. This will be used to match the user against the Talentech ID user account on first login

Full name

 

name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

The user’s full name

External tenant id

tid

If you are using Azure AD or some other multi-tenant IDP, you can provide that ID here.

https://www.talentech.com