SSO for Sobrado Partners #
Sobrado is offering a Single Sign-On (SSO) solution for its partners. This document provides a technical checklist for the implementation of SSO.
Architecture #
The SSO solution is based on the OpenID Connect v1.0 protocol and implements «Identity Brokering». We use a standard Keycloak server as our Identity Provider (IdP).
- Our Portner’s IDP using SSO is
Identity Providers
to our Keycloak server. - Our Keycloak is the
Client
to our Partner’s IDP.
On the Partner’s side, the IDP can define which users are allowed to access Sobrado.
On Sobrado’s side, the Keycloak server will create accounts for yet unknown users and assign them a minimal default role.
(Note: on Sobrado Side, this role and a default phone number will be added by a Identity Provider Mapper
in Keycloak.)
Deactivated users on the Partner’s side will not be able to access Sobrado.
Architecture Diagram #
graph TD subgraph Partner's Infrastructure PartnerIdP[Partner's IdP] end subgraph Sobrado Infrastructure Keycloak[Sobrado Keycloak IdP] Application(Sobrado Application) end Client(Client Login) -->|Authenticates| PartnerIdP PartnerIdP -->|Brokering: adds client| Keycloak %% Keycloak --> |Brokering: adds Identity Provider| PartnerIdP Keycloak -->|Provides SSO| Application style Keycloak fill:#e95a0c,color:#fff style Application fill:#e95a0c,color:#fff style PartnerIdP fill:#753c52,color:#fff
Things needed #
Sobrado needs from Partner #
Sobrado will add the Partner’s Identity Provider to our Keycloak server. The following information is needed and will be provided by the Partner:
- Partner’s IDP well-known URL in the form of
https://partneridp.com/.well-known/openid-configuration
e.g. for Microsoft Azure AD:https://login.microsoftonline.com/axxx-xxxx-xxxx-xxx/v2.0/.well-known/openid-configuration
called «OpenID Connect-Metadatendokument» in German. - Partner’s IDP Name
- Partner’s IDP Client ID
- Partner’s IDP Client Secret
Note: in Microsoft Azure AD namings are a bit confusing:
Client ID: Anwendungs ID
Tenant ID: Verzeichnis-ID (Mandant)
Client Secret: Geheime Clientschlüssel, use Value (Wert)
Well-Known URL: OpenID Connect-Metadatendokument
Client Secrets in form of certificates are not yet supported.
Partner will get from Sobrado #
Our Partner will add a OIDC Client
to their Identity Provider. The following information is needed and will be provided by Sobrado:
- Redirect URI in the form of
https://zurix.sobrado.ch/realms/sobrado/broker/thepartner/endpoint
- SSO URL Application Link to access Sobrado in the form of
https://sobrado.ch/sso/login/thepartner
Their clients will access sobrado using this SSO URL Applications Link, it is used like «Login with Google» buttons etc. on other sites but will login with the Partner’s IDP and redirected to Sobrado.
Implementation #
Typically, the implementation of SSO involves the following steps and will be tested on a staging (DEV or INT) environment before going live:
Staging #
- Partner adds the
OIDC Client
to their Identity Provider. - Sobrado adds the Partner’s
Identity Provider
to our Keycloak server. - Sobrado activates the SSO Option on the staging environment, which also will activate the SSO URL for the Partner (in the form of
https://sobrado.ch/sso/login/thepartner
) - Partner tests the SSO process on their staging environment. For this, real, life users are needed at the Partner’s side.
Production #
Same Steps as above.
For Go-Live, the Partner will have to inform all their users about the SSO URL (in the form of https://sobrado.ch/sso/login/thepartner
) to access Sobrado.