SSO for Sobrado Partners as Id-Providers#
Sobrado is offering a Single Sign-On (SSO) solution for its partners who wants to use their IdP to access Sobrado.
This document provides a technical checklist for the implementation of SSO.
📐 Architecture#
The SSO solution is based on the OpenID Connect v1.0 protocol and implements «Identity Brokering». We use a standard Keycloak server as our Identity Provider (IdP).
- Our Portner’s IDP using SSO is
Identity Providersto our Keycloak server. - Our Keycloak is the
Clientto our Partner’s IDP.
On the Partner’s side, the IDP can define which users are allowed to access Sobrado.
On Sobrado’s side, the Keycloak server will create accounts for yet unknown users and assign them a minimal default role.
(Note: on Sobrado Side, this role and a default phone number will be added by a Identity Provider Mapper in Keycloak.)
Deactivated users on the Partner’s side will not be able to access Sobrado.
Architecture Diagram#
graph TD
subgraph Partner's Infrastructure
PartnerIdP[Partner's IdP]
end
subgraph Sobrado Infrastructure
Keycloak[Sobrado Keycloak IdP]
Application(Sobrado Application)
end
Client(Client Login) -->|Authenticates| PartnerIdP
PartnerIdP -->|Brokering: adds client| Keycloak
%% Keycloak --> |Brokering: adds Identity Provider| PartnerIdP
Keycloak -->|Provides SSO| Application
style Keycloak fill:#e95a0c,color:#fff
style Application fill:#e95a0c,color:#fff
style PartnerIdP fill:#753c52,color:#fff
✏️ Things needed#
Sobrado needs from Partner#
Sobrado will add the Partner’s Identity Provider to our Keycloak server. The following information is needed and will be provided by the Partner:
- Partner’s IDP well-known URL in the form of
https://partneridp.com/.well-known/openid-configuratione.g. for Microsoft Azure AD:https://login.microsoftonline.com/axxx-xxxx-xxxx-xxx/v2.0/.well-known/openid-configurationcalled «OpenID Connect-Metadatendokument» in German. - Partner’s IDP Name
- Partner’s IDP Client ID
- Partner’s IDP Client Secret
Note: in Microsoft Azure AD namings are a bit confusing:
Client ID: Anwendungs ID
Tenant ID: Verzeichnis-ID (Mandant)
Client Secret: Geheime Clientschlüssel, use Value (Wert)
Well-Known URL: OpenID Connect-Metadatendokument
Client Secrets in form of certificates are not yet supported.
Partner will get from Sobrado#
Our Partner will add a OIDC Client to their Identity Provider. The following information is needed and will be provided by Sobrado:
- Redirect URI in the form of
https://zurix.sobrado.ch/realms/sobrado/broker/thepartner/endpoint - SSO URL Application Link to access Sobrado in the form of
https://sobrado.ch/sso/login/thepartner
Their clients will access sobrado using this SSO URL Applications Link, it is used like «Login with Google» buttons etc. on other sites but will login with the Partner’s IDP and redirected to Sobrado.
🚧 Implementation#
Typically, the implementation of SSO involves the following steps and will be tested on a staging (DEV or INT) environment before going live:
Staging#
- Partner adds the
OIDC Clientto their Identity Provider. - Sobrado adds the Partner’s
Identity Providerto our Keycloak server. - Sobrado activates the SSO Option on the staging environment, which also will activate the SSO URL for the Partner (in the form of
https://sobrado.ch/sso/login/thepartner) - Partner tests the SSO process on their staging environment. For this, real, life users are needed at the Partner’s side.
Production#
Same steps as above. For convenience, see checklist below.
For Go-Live, the Partner will have to inform all their users about the SSO URL (in the form of `https://sobrado.ch/sso/login/thepartner`) to access Sobrado.
✅ SSO PROD Go-Live Checklist#
For convenience, the following checklist for our partners that are activating SSO with Sobrado. The Checklist can be copied to a Wordfile e.g. and used during Go-Live
Partner’s Preparation#
| Item | Description | Responsible in Partner’s Org. | Status |
|---|---|---|---|
| Partner IDP Config | adds the Sobrado OIDC Client to their Identity Provider. | … | open |
.well-known stuff | sends IDP config to Sobrado, incl. Secrets | … | open |
| URLs | gets two URLs from Sobrado: Redirect URL and SSO URL Application Link. | … | open |
| Application Portal | SSO URL Application Link is configured in Partner Portal | … | open |
| User Management | Partner’s Sobrado Users Admin is informed to assigne new SSO Users the correct rights | … | open |
| Support | Partner Support informed how to contact Sobrado Support | … | open |
Coordinated Go-Live#
these steps need to be activated in a coordinated way on a certain timeslot.
⏱ Go-Live Time: ________
| Item | Description | Responsible | Ready |
|---|---|---|---|
| Application Portal | SSO URL Application Link is configured in Partner Portal | Partner | … |
| SSO Activation | SSO Activated in Partner in Sobrado | Sobrado | … |
| additional IDP config | depending on Partner’s IDP | Partner | … |
happy SSO-ing!