Configuring Login and SSO for sites

Within OpenChannel, users and partners are able to log into marketplace and partner portal sites using either Native Login or SSO. With Native Login, OpenChannel will act as the identity provider by storing and managing the user account data. Native Login is the fastest and easiest way to allow users or developers to register and login. With SSO login an external identity provider like Google, Auth0 or Okta will need to be setup and will be responsible for storing and managing the user account data.

A partner portal is a site where developers or partners can manage and submit apps to the marketplace. The marketplace is a site where users can discover, search or install apps. To learn more about setting up these please see: Setting up self hosted sites.

By default, both partner portal and marketplace sites are configured for Native SSO. To check your Native SSO configuration you should follow the below steps:

Login to OpenChannel Dashboard if not already logged in.
Navigate to Sites in the left pane.
Create a new site or click on an existing site.
Click the Authentication tab
Click on Native to view the configuration

Setup External SSO

We also support authentication using an OpenId connect SSO identity provider. To set up External SSO you need to follow these steps:

Login to OpenChannel Dashboard if not already logged in.
Navigate to Sites in the left pane.
Create a new site or click on an existing site.
Click the Authentication tab
Click on the “Add identity configuration” button at the bottom of the list.
Fill out the “New Identify Configuration form” (some examples below)

Configuration Fields

Field	Description
Name	The name of the identity configuration.
Validation Mode	The mode in which the JWT token is validated. Authorization Code (recommended): Validates the JWT token using the standard authorization code flow and maintains the original access token. Introspection: Validates the JWT token against the introspection URL specified in your /.well-known/openid-configuration endpoint but then will create and maintain an internally generated access token. Public Key: Validates the JWT token against the public key specified in your jwks_uri endpoint (which is identified in your /.well-known/openid-configuration endpoint) but then will create and maintain an internally generated access token.
Client ID	The Client Id provided by your identity provider.
Client Secret	The Secret provided by your identity provider.
Issuer URL	The Issuer URL provided by your identity provider.
Grant Type	Application grant types (or flows) are methods through which applications can gain Access Tokens. Authorization Code Grant: Exchanges an Authorization Code for a token.
Scope	The scopes required to access all of the data needed in the claims mappings
Classification	The types of users that will be registering and logging into this identity provider. USER: Users that register in this identity provider will be consumers of apps and can install and enable apps. Typically this is the classification used for a marketplace site. DEVELOPER: Users that register in this identity provider will be developer of apps and create and submit apps. Typically this is the classification used for a partner portal site. USER_DEVELOPER: Users that register in this identity provider will be both consumers (can install and enable apps) and developers (can create and submit apps) of apps. Typically this is the classification used for hybrid site where any user can both consume and develop apps.
Claims Mappings	Claims mappings help sync the user data within JWT claims or the Userinfo endpoint to the user data stored in OpenChannel. For example, if the JWT contains information about the user’s email address then that email should be provided and saved to the user’s OpenChannel record. This will then allow you to configure the sending of automated email notifications to the user. Key: The OpenChannel field that this value will be saved as. Value: The attribute(s) within the JWT token or Userinfo endpoint. Field Type: The data type for this field Target: Whether this value should be applied to the individual user or the user’s organization.
User/Developer Organization Type	The type to automatically assign when a new organization is created
User/Developer Account Type	The type to automatically assign when a new individual’s account is created
User/Developer Account Roles	The role to automatically assign when a new individual’s account is created
User/Developer Account Permissions	Any additional permissions to automatically assign when a new individual’s account is created

Configuration Examples

Google SSO configuration

This configuration will allow you to login to your marketplace or partner portal site using your google account.

Name: Google
Validation Mode: Authorization Code
Client ID: your Client ID from SSO provider
Client Secret: same thing here
Issuer URL: https://accounts.google.com
Grant Type: Authorization Code
Scope: openId profile email
Classification: USER (for a marketplace site) or DEVELOPER (for partner portal site)
Claims mapping:
- accountId : {{sub}}
- email : {{email}}
- name : {{given_name}} {{family_name}}
- username : {{name}}

Okta SSO configuration

This configuration will allow you to login to your marketplace or partner portal site using your Okta identity provider.

Name : Okta
Validation Mode: Authorization Code
Client ID: The OAuth clientId provided after setting up your marketplace or partner portal site as a service provider.
Client Secret: OAuth client secret provided after setting up your marketplace or partner portal site as a service provider.
Issuer URL: The provided issuer URL like: https://{your domain id}.okta.com
Grant Type: Aauthorization Code
Scope: openId profile email
Classification: USER (for a marketplace site) or DEVELOPER (for partner portal site)
Claims mappings:
- accountId : {{sub}}
- email : {{email}}
- name : {{name}}

Configuring Native Login

Setup External SSO

Configuration Fields

Configuration Examples