Single Sign-On (SSO) for Sobrado Partners

SSO for Sobrado Partners #

Sobrado is offering a Single Sign-On (SSO) solution for its partners. This document provides a technical checklist for the implementation of SSO.

Architecture #

The SSO solution is based on the OpenID Connect v1.0 protocol and implements «Identity Brokering». We use a standard Keycloak server as our Identity Provider (IdP).

  • Our Portner’s IDP using SSO is Identity Providers to our Keycloak server.
  • Our Keycloak is the Client to our Partner’s IDP.

On the Partner’s side, the IDP can define which users are allowed to access Sobrado.

On Sobrado’s side, the Keycloak server will create accounts for yet unknown users and assign them a minimal default role. (Note: on Sobrado Side, this role and a default phone number will be added by a Identity Provider Mapper in Keycloak.)

Deactivated users on the Partner’s side will not be able to access Sobrado.

Architecture Diagram #

graph TD subgraph Partner's Infrastructure PartnerIdP[Partner's IdP] end subgraph Sobrado Infrastructure Keycloak[Sobrado Keycloak IdP] Application(Sobrado Application) end Client(Client Login) -->|Authenticates| PartnerIdP PartnerIdP -->|Brokering: adds client| Keycloak %% Keycloak --> |Brokering: adds Identity Provider| PartnerIdP Keycloak -->|Provides SSO| Application style Keycloak fill:#e95a0c,color:#fff style Application fill:#e95a0c,color:#fff style PartnerIdP fill:#753c52,color:#fff

Things needed #

Sobrado needs from Partner #

Sobrado will add the Partner’s Identity Provider to our Keycloak server. The following information is needed and will be provided by the Partner:

  • Partner’s IDP well-known URL in the form of https://partneridp.com/.well-known/openid-configuration e.g. for Microsoft Azure AD: https://login.microsoftonline.com/axxx-xxxx-xxxx-xxx/v2.0/.well-known/openid-configuration called «OpenID Connect-Metadatendokument» in German.
  • Partner’s IDP Name
  • Partner’s IDP Client ID
  • Partner’s IDP Client Secret

Note: in Microsoft Azure AD namings are a bit confusing:
Client ID: Anwendungs ID
Tenant ID: Verzeichnis-ID (Mandant)
Client Secret: Geheime Clientschlüssel, use Value (Wert)
Well-Known URL: OpenID Connect-Metadatendokument

Client Secrets in form of certificates are not yet supported.

Partner will get from Sobrado #

Our Partner will add a OIDC Client to their Identity Provider. The following information is needed and will be provided by Sobrado:

  • Redirect URI in the form of https://zurix.sobrado.ch/realms/sobrado/broker/thepartner/endpoint
  • SSO URL Application Link to access Sobrado in the form of https://sobrado.ch/sso/login/thepartner

Their clients will access sobrado using this SSO URL Applications Link, it is used like «Login with Google» buttons etc. on other sites but will login with the Partner’s IDP and redirected to Sobrado.

Implementation #

Typically, the implementation of SSO involves the following steps and will be tested on a staging (DEV or INT) environment before going live:

Staging #

  1. Partner adds the OIDC Client to their Identity Provider.
  2. Sobrado adds the Partner’s Identity Provider to our Keycloak server.
  3. Sobrado activates the SSO Option on the staging environment, which also will activate the SSO URL for the Partner (in the form of https://sobrado.ch/sso/login/thepartner)
  4. Partner tests the SSO process on their staging environment. For this, real, life users are needed at the Partner’s side.

Production #

Same Steps as above.

For Go-Live, the Partner will have to inform all their users about the SSO URL (in the form of https://sobrado.ch/sso/login/thepartner) to access Sobrado.

Rémy Schumm (@kyburg) - 6f9d5192c17734134019463af806afd0453c8df1

kein Wordfile