OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0, an authorization framework. OIDC is a common authentication protocol used by identity providers (IdP) to authenticate users accessing third-party service providers (SP), without requiring them to re-share their login information elsewhere.
OAuth, an authorization protocol that provides applications with access to resources of other third-party applications, can also be used to authenticate users. With simple configuration steps, ADSelfService Plus supports SSO to all OAuth- and OIDC-enabled cloud applications.
Since OIDC is built as an authentication layer on top of the OAuth 2.0, both protocols function quite similarly to each other with slight deviations towards the end of the code flow process.
In OIDC, when a user wants to access an application or SP, it initially takes the user to the IdP's login page for authentication and communicates certain parameters, like the redirect URI, response type, and scope. After the user successfully authenticates their identity with the IdP, they are redirected back to the application.
Simultaneously, on the servers' secure back channel, the IdP passes an authorization code to the SP, which it later exchanges for the access token and ID token. The ID token helps the SP understand the identity of the user who has just logged in. The access token is used if the client application needs to access more details about the user, like their profile picture for instance.
The flowchart below gives a better understanding of the SP-initiated SSO flow for OIDC.
The OAuth 2.0 authorization code flow works identical to OIDC's code flow mentioned above. However, in the final step, the SP receives the access token and refresh token from the IdP over the back channel instead of the ID token. The refresh token is used to get a new access token once it expires without making the user authenticate again with the IdP.
ADSelfService Plus provides a range of commonly used OAuth and OIDC applications that are pre-integrated to make SSO configuration easy. Admins can also add any custom OAuth or OIDC-enabled application, which users can then access using SSO. It offers granular policies for admins to easily configure user access to applications. Options to configure IdP details such as authorization endpoint URLs, token endpoint URLs, and user endpoint URLs are provided for both custom and pre-integrated applications.
There are two ways through which users can log in to an application or a service using ADSelfService Plus' OAuth and OIDC SSO, as explained below:
Choose from a range of pre-integrated applications that have been categorized for convenience.
1. Conveniently categorized: Choose from a range of pre-integrated applications that have been categorized for convenience.
Configure advanced IdP details such as authorization endpoint URLs, token endpoint URLs, and user endpoint URLs by clicking this button.
1. In-depth configuration: Configure advanced IdP details such as authorization endpoint URLs, token endpoint URLs, and user endpoint URLs by clicking this button.
Configure which user can access which applications using granular ADSelfService Plus policies.
1. Policy-driven access: Configure which user can access which applications using granular ADSelfService Plus policies.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, Google Workspace, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.