Navigate to previous Previous TopicNext Topic Navigate to next

OAuth and OpenID Connect SSO

Note: SSO for applications is available only with the Endpoint MFA.

OAuth is an authorization protocol that allows authenticated resource accesses between servers and services without sharing any logon credentials. OpenID Connect is an identity layer on top of OAuth's framework.

The basic components in OAuth and OpenID Connect's working are:

OAuth 2.0

This is how OAuth enables SSO:

  1. When a user tries to log in to an application, it sends an authorization request to ADSelfService Plus. The user is then redirected to the ADSelfService Plus login page where they enter the login credentials.
  2. After successful verification, an authorization code is sent to the application from ADSelfService Plus.
  3. The application sends the authorization code back to ADSelfService Plus to receive the access token and the refresh token. The access token acts as a time-bound key for the user to access the application's protected resources. The refresh token is a permanent key that can be used to request a new access token after the old one expires.
  4. Now, the application sends a user info request along with the access token as proof of identity to ADSelfService Plus. The response to this request returns the user profile details required to complete the login process.
  5. After successful verification of user details at the application's end, the user is logged in to the application.

OpenID Connect

OpenID Connect is similar to OAuth SSO, but an ID token is used here. The ID token contains the signature of ADSelfService Plus and the user details. There are two possible scenarios when using OpenID Connect SSO.

Let's understand the workflow in both of these cases.

Application-initiated login

  1. A user tries to log in to an application. The application sends an authorization request to ADSelfService Plus. The user is redirected to the ADSelfService Plus login page.
  2. The user enters their logon credentials here. After successful verification, an authorization code is sent to the application from ADSelfService Plus.
  3. The application sends the authorization code back to ADSelfService Plus to receive the ID token. This token contains the user details required to complete the login process.
  4. After verifying the signature of ADSelfService Plus in the ID token, the application retrieves the user details from the ID token.
  5. Finally, after the successful verification of user details in the application's end, the user is logged in to the application.

ADSelfService Plus-initiated login

  1. A user logs in to ADSelfService Plus successfully, goes to the Applications tab and clicks on the desired application.
  2. In this case, ADSelfService Plus sends an ID token to the application directly.
  3. After verifying the signature of ADSelfService Plus in the ID token, the application retrieves the user details from the ID token.
  4. After the successful verification of user details on the application's end, the user is logged in to the application.

Supported Scopes

Scopes define the level of access that can be requested by the service provider to access a resource. These have to be enabled suitably by the Admin. ADSelfService Plus supports the following scopes:

Supported applications

Go to Top
Navigate to previous Previous TopicNext Topic Navigate to next

Thanks!

Your request has been submitted to the ADSelfService Plus technical support team. Our technical support people will assist you at the earliest.

 

Need technical assistance?

  • Enter your email ID
  • Talk to experts
  •  
     
  •  
  • By clicking 'Talk to experts' you agree to processing of personal data according to the Privacy Policy.

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try onboarding

     

Copyright © 2024, ZOHO Corp. All Rights Reserved.