Single Sign-On (SAML, OAuth2, and JWT)

Use an outside authentication source to verify users into your community

Single Sign-On (SSO) enables your users to authenticate with our application via your identity provider. When enabled, all other forms of authentication are disabled. Honeycommb supports SAML 2.0, OAuth 2, and JWT.

You can only enable one method of SSO at a time. Configuration for both can be reached from the community details page.

 

Single Sign On Using SAML 2.0

Single Sign On Using OAuth2

Single Sign On Using JWT (mobile app integration solution)

SAML 2.0

Step 1: Setup Protocol

Select SAML as the protocol. Use the ACS url and SP entity to plug into your identity provider.

We require that the name ID is returned as an email address.

We also require the following attributes:

  1. first_name should be the first name of the user.
  2. last_name should be the last name of the user.

Failure to map these fields will result in failed SAML auth requests.

Step 2: Fill in the IDP Entity Name

The IDP Entity name is the name of the identity provider. It should be recognizable to the end user so they know what system they're about to sign into.

Step 3a: Fill in IDP Metadata

If your provider gives you the xml metadata, simply copy paste it into the Idp Metadata field. You can skip step 3b.

If you do not have the xml metadata, proceed to step 3b.

Step 3b: Fill Details Manually

Fill in the following fields: IDP Entity, IDP SSO Target Url, IDP SLO Target Url, IDP Cert, IDP Cert Fingerprint, IDP Cert Fingerprint Algorithm. You can get these from your identity provider.

Step 4: Activate

Check the "Active" box and save. SSO via SAML will now be enabled.

OAuth2

Step1: Setup Protocol

Select Oauth2 as the protocol. Use the Callback URL to plug into the identity provider.

Step 2: Setup Details

All fields are required except the name mapping.

Provider - The name of the identity provider. It should be recognizable to the end user so they know what system they're about to sign into.

Client ID - Retrieve this from the OAuth application.

Client Secret - Retrieve this from the OAuth application.

Scope - Any additional scopes required to authenticate. See https://oauth.net/2/scope/ for additional details.

Authorization URL - The sign in url for your users. (See github example)

Token URL - The url to fetch the bearer token from.  (See github example)

User URLThe url to fetch the current user from. (See github example)

Step 3: Setup Mapping

The mapping fields describe how to traverse the json response from the User URL to retrieve specific fields. We use dot notation to traverse JSON objects.

In our example, the user URL responds with the following payload:

{
"id": 123,
"user": {
"email": "test@honeycommb.com",
"username": "test_user",
"name": "Test User"
}
}

Email mapping would be user.email

Username mapping would be user.username

Name mapping would be user.name

Step 4: Activate

Check the "Active" box and save. SSO via OAuth2 will now be enabled.

JWT 

Step 1:  Setup Protocol

Select JWT as the protocol and fill in the following:

Jwt Provider - The name of the provider (used to print "Login with [Jwt Provider]")

Jwt Provider URL - The URL where users sign in. The user is redirected here if they need to sign in.

one

Step 2: Copy the JWT Signing Key

The signing key is available after hitting save. Keep this key secret as it will be used to sign the JWT.

Step 3: Create the JWT

On your server, you will need to create a JWT with the following payload structure:

{
  external_id: "your stable identifier for the user",
  email: "user@email.com", 
  username: "user123",
  name: "First Last",
}

external_id - Required. An identifier that does not change over time.

email - Required. A unique email address for the user.

username - Required. A unique username used in Honeycommb.

name - Required. A name used for display purposes in Honeycommb.

Example in Ruby

token = JWT.encode(
  {
      external_id: '123',
      email: 'user@email.com',
      username: 'username123',
      name: 'John Doe'
  },
    SIGNING_KEY

)

Step 4: Send user to the JWT consume url

Send the user to https://[your_community].honeycommb.com/jwt/consume?jwt=[token] which will then authenticate the user and forward them to the home feed.

 


RELATED: The User Experience in using SSO to log into the community