Single Sign-On (SSO) & OAuth2

Use an outside authentication source to verify users into your community

Single Sign-On (SSO) enables your users to authenticate with our application via your identity provider. When enabled, all other forms of authentication are disabled. Honeycommb supports both OAuth2 and SAML 2.0.

You can only enable one method of SSO at a time. Configuration for both can be reached from the community details page.

SAML 2.0

Step 1: Setup Protocol

Select SAML as the protocol. Use the ACS url and SP entity to plug into your identity provider.

We require that the name ID is returned as an email address.

We also require the following attributes:

  1. first_name should be the first name of the user.
  2. last_name should be the last name of the user.

Failure to map these fields will result in failed SAML auth requests.

Step 2: Fill in the IDP Entity Name

The IDP Entity name is the name of the identity provider. It should be recognizable to the end user so they know what system they're about to sign into.

Step 3a: Fill in IDP Metadata

If your provider gives you the xml metadata, simply copy paste it into the Idp Metadata field. You can skip step 3b.

If you do not have the xml metadata, proceed to step 3b.

Step 3b: Fill Details Manually

Fill in the following fields: IDP Entity, IDP SSO Target Url, IDP SLO Target Url, IDP Cert, IDP Cert Fingerprint, IDP Cert Fingerprint Algorithm. You can get these from your identity provider.

Step 4: Activate

Check the "Active" box and save. SSO via SAML will now be enabled.

OAuth2

Step1: Setup Protocol

Select Oauth2 as the protocol. Use the Callback URL to plug into the identity provider.

Step 2: Setup Details

All fields are required except the name mapping.

Provider - The name of the identity provider. It should be recognizable to the end user so they know what system they're about to sign into.

Client ID - Retrieve this from the OAuth application.

Client Secret - Retrieve this from the OAuth application.

Scope - Any additional scopes required to authenticate. See https://oauth.net/2/scope/ for additional details.

Authorization URL - The sign in url for your users. (See github example)

Token URL - The url to fetch the bearer token from.  (See github example)

User URLThe url to fetch the current user from. (See github example)

Step 3: Setup Mapping

The mapping fields describe how to traverse the json response from the User URL to retrieve specific fields. We use dot notation to traverse JSON objects.

In our example, the user URL responds with the following payload:

{
"id": 123,
"user": {
"email": "test@honeycommb.com",
"username": "test_user",
"name": "Test User"
}
}

Email mapping would be user.email

Username mapping would be user.username

Name mapping would be user.name

Step 4: Activate

Check the "Active" box and save. SSO via OAuth2 will now be enabled.


RELATED: The User Experience in using SSO to log into the community