OpenID
Configurationβ
- Log in to the Safous admin portal with your admin credentials.
- Navigate to the Integrations > Identity Providers page.
- Click the New button located at the top-right corner of the screen.
Step 1: Identity Provider Typeβ
- Define your basic identity provider information - Enter a unique name.
- Select OpenID under Choose your identity provider type.
Step 2: Identity Providers Detailsβ
-
OpenID Issuer, the issuer URL provided by the third-party IdP.
-
ClientID, a public identifier provided by the third-party IdP.
-
Client Secret, used by the client to exchange an authorization code for a token provided by the third-party IdP.
-
Attributes Mapping: This is used to map attributes between Safous and OpenID. These can be found under the Attribute editor section.
- Username (mandatory): Map the Safous attribute Username to the OpenID Claim (e.g., name).
- Email (mandatory): Map the Safous attribute Email to the corresponding OpenID claim (e.g., email).
- First Name (optional): Map the Safous attribute First name to the corresponding OpenID claim , if applicable.
- Last Name (optional): Map the Safous attribute Last name to the corresponding OpenID claim , if applicable.
- Phone Number (optional): Map the Safous attribute Phone number to the corresponding OpenID claim , if applicable.
- Personal Desktop (optional): Map the Safous attribute Personal desktop to the corresponding OpenID claim, if applicable.
-
Scopes: Defines the scope of data that will be requested from the client by the browser
-
openid: request for OIDC authentication and an ID token.
-
email: request for access to the end userβs email.
-
profile: request for access to the end userβs profile.
-
-
Auto Provisioning: An option that ensures user accounts are created, granted proper permissions, modified, disabled, and deleted as needed through SCIM.
Step 3: MFA Parameterβ
- MFA Provider: Ensure that the MFA Provider is set to Safous. This will enforce MFA for added security.
- Available MFA methods
- Scan QR code: This option enables the use of QR codes for authentication. Users can scan the QR code with an authenticator app on their phone to generate a one-time code.
- Provide phone number: If this option is selected, users can use their phone number for MFA. They may receive a verification code via SMS or a phone call.
- Provide email address: This option, when selected, will allow users to use their email address as one of the authentication methods. They might receive a verification code or link via email.
By default, all three are selected.
- Editing sign-in methods
- Allow users to change their sign-in methods - If this option is enabled, users will have the ability to change their selected MFA methods. This gives them flexibility to switch between different methods as needed.
For this article, we will leave it unchecked.
- Allow users to change their sign-in methods - If this option is enabled, users will have the ability to change their selected MFA methods. This gives them flexibility to switch between different methods as needed.
Step 4: Enrollment Methodβ
These settings are used to control how users enroll into the Safous user database.
Request from user when they enroll:
- Personal Desktop: When selected, users will be required to register their personal desktop device during enrollment.
- Accept legal documentation: If selected, users will need to accept legal documents or terms and conditions as part of the enrollment process.
For this article, we will leave these options unchecked.
Choose the method to enroll users:
- Admin rollout: Enrollment is managed and initiated by an administrator.
- Self service enrollment: Users can enroll themselves into the system. This option allows users to self-register, which is often more scalable.
- Activate users automatically when they complete enrollment: When this is checked, users are activated immediately upon completing the enrollment process.
For this article, we will select Self service enrollment and enable the Activate users automatically when they complete enrollment option.
- Activate users automatically when they complete enrollment: When this is checked, users are activated immediately upon completing the enrollment process.
Additional Settings:
- Hide from end-user login screen: This option hides the enrollment method from the users' login screen.
- Users can change their personal details: Allows users to update their personal information after enrollment.
Domain based check:
- No domain: Indicates that no domain-based restrictions apply to the enrollment.
- With domain: Enables domain-based restrictions for enrollment.
- Any domain: Allows enrollment from any domain.
- Specific domain: Restricts enrollment to users from specific domains.
For this article, we will select Any domain and check the checkboxes for both the No domain and With domain options.
