Single sign-on (SSO)
  • 30 Aug 2022
  • 1 Minute to read
  • Contributors
  • PDF

Single sign-on (SSO)

  • PDF

Article summary

Campos supports the following protocols:

  • OpenID Connect
  • SAML2

OpenID Connect

1. Add a new client to your Identity provider and register the following Redirect-URIs:

  • https://signin.campos.ch/signin-<YourAuthScheme> 
  • https://signin.stage.campos.ch/signin- (Test-System)

2. For the unique identification of users at least one of the following claims have to be exported:

  • sub
  • oid
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    • It is recommended to use a stable ID that never changes (like a GUID) and avoid unstable attributes like email address (may change on marriage).

3. For the on-the-fly creation of users when sining in for the first time, following additional claims are needed:

  • email
  • given_name
  • family_name
  • locale (optional)

4. Communicate following information to devteam@icfm.ch:

  • authority-URL (OAuth 2.0 Endpoint)
  • newly created client ID for CAMPOS
     

ADFS with SAML2

1. Communicate the entityID (authority-URL) to devteam@icfm.ch

2. We will add your identity provider and give you the URL for the SAML metadata XML. It will look like https://signin.campos.ch/saml2/<YourAuthScheme> 

3. Import the metadata XML

4. Typical claim rules:

  • User-Principal-Name -> email
  • Given-Name -> given_name
  • Surname -> family_name
  • ObjectGUID -> Name ID

What's Next