Within OpenChannel, users and partners are able to log into marketplace and partner portal sites using either Native Login or SSO. With Native Login, OpenChannel will act as the identity provider by storing and managing the user account data. Native Login is the fastest and easiest way to allow users or developers to register and login. With SSO login an external identity provider like Google, Auth0 or Okta will need to be setup and will be responsible for storing and managing the user account data.
Configuring Native Login
By default, both partner portal and marketplace sites are configured for Native SSO. To check your Native SSO configuration you should follow the below steps:
- Login to OpenChannel Dashboard if not already logged in.
- Navigate to Sites in the left pane.
- Create a new site or click on an existing site.
- Click the Authentication tab
- Click on Native to view the configuration
Setup External SSO
We also support authentication using an OpenId connect SSO identity provider. To set up External SSO you need to follow these steps:
- Login to OpenChannel Dashboard if not already logged in.
- Navigate to Sites in the left pane.
- Create a new site or click on an existing site.
- Click the Authentication tab
- Click on the “Add identity configuration” button at the bottom of the list.
- Fill out the “New Identify Configuration form” (some examples below)
Configuration Fields
Field | Description |
---|---|
Name | The name of the identity configuration. |
Validation Mode | The mode in which the JWT token is validated.
Authorization Code (recommended): Validates the JWT token using the standard authorization code flow and maintains the original access token. |
Client ID | The Client Id provided by your identity provider. |
Client Secret | The Secret provided by your identity provider. |
Issuer URL | The Issuer URL provided by your identity provider. |
Grant Type | Application grant types (or flows) are methods through which applications can gain Access Tokens.
Authorization Code Grant: Exchanges an Authorization Code for a token. |
Scope | The scopes required to access all of the data needed in the claims mappings |
Classification | The types of users that will be registering and logging into this identity provider.
USER: Users that register in this identity provider will be consumers of apps and can install and enable apps. Typically this is the classification used for a marketplace site. |
Claims Mappings | Claims mappings help sync the user data within JWT claims or the Userinfo endpoint to the user data stored in OpenChannel. For example, if the JWT contains information about the user’s email address then that email should be provided and saved to the user’s OpenChannel record. This will then allow you to configure the sending of automated email notifications to the user.
Key: The OpenChannel field that this value will be saved as. |
User/Developer Organization Type | The type to automatically assign when a new organization is created |
User/Developer Account Type | The type to automatically assign when a new individual’s account is created |
User/Developer Account Roles | The role to automatically assign when a new individual’s account is created |
User/Developer Account Permissions | Any additional permissions to automatically assign when a new individual’s account is created |
Configuration Examples
Google SSO configuration
This configuration will allow you to login to your marketplace or partner portal site using your google account.
- Name: Google
- Validation Mode: Authorization Code
- Client ID: your Client ID from SSO provider
- Client Secret: same thing here
- Issuer URL: https://accounts.google.com
- Grant Type: Authorization Code
- Scope: openId profile email
- Classification: USER (for a marketplace site) or DEVELOPER (for partner portal site)
- Claims mapping:
- accountId : {{sub}}
- email : {{email}}
- name : {{given_name}} {{family_name}}
- username : {{name}}
Okta SSO configuration
This configuration will allow you to login to your marketplace or partner portal site using your Okta identity provider.
- Name : Okta
- Validation Mode: Authorization Code
- Client ID: The OAuth clientId provided after setting up your marketplace or partner portal site as a service provider.
- Client Secret: OAuth client secret provided after setting up your marketplace or partner portal site as a service provider.
- Issuer URL: The provided issuer URL like: https://{your domain id}.okta.com
- Grant Type: Aauthorization Code
- Scope: openId profile email
- Classification: USER (for a marketplace site) or DEVELOPER (for partner portal site)
- Claims mappings:
- accountId : {{sub}}
- email : {{email}}
- name : {{name}}