Within OpenChannel, users and partners are able to log into marketplace and partner portal sites using either Native Login or SSO. With Native Login, OpenChannel will act as the identity provider by storing and managing the user account data. Native Login is the fastest and easiest way to allow users or developers to register and login. With SSO login an external identity provider like Google, Auth0 or Okta will need to be setup and will be responsible for storing and managing the user account data.

 A partner portal is a site where developers or partners can manage and submit apps to the marketplace. The marketplace is a site where users can discover, search or install apps. To learn more about setting up these please see: Setting up self hosted sites.

Configuring Native Login

By default, both partner portal and marketplace sites are configured for Native SSO. To check your Native SSO configuration you should follow the below steps:

  1. Login to OpenChannel Dashboard if not already logged in.
  2. Navigate to Sites in the left pane.
  3. Create a new site or click on an existing site.
  4. Click the Authentication tab
  5. Click on Native to view the configuration

    Setup External SSO

    We also support authentication using an OpenId connect SSO identity provider. To set up External SSO you need to follow these steps:

    1. Login to OpenChannel Dashboard if not already logged in.
    2. Navigate to Sites in the left pane.
    3. Create a new site or click on an existing site.
    4. Click the Authentication tab
    5. Click on the “Add identity configuration” button at the bottom of the list.
    6. Fill out the “New Identify Configuration form” (some examples below)

    Configuration Fields

    Field Description
    Name The name of the identity configuration.
    Validation Mode The mode in which the JWT token is validated.

    Authorization Code (recommended): Validates the JWT token using the standard authorization code flow and maintains the original access token.
    Introspection: Validates the JWT token against the introspection URL specified in your /.well-known/openid-configuration endpoint but then will create and maintain an internally generated access token.
    Public Key: Validates the JWT token against the public key specified in your jwks_uri endpoint (which is identified in your /.well-known/openid-configuration endpoint) but then will create and maintain an internally generated access token.

    Client ID The Client Id provided by your identity provider.
    Client Secret The Secret provided by your identity provider.
    Issuer URL The Issuer URL provided by your identity provider.
    Grant Type Application grant types (or flows) are methods through which applications can gain Access Tokens.

    Authorization Code Grant: Exchanges an Authorization Code for a token.

    Scope The scopes required to access all of the data needed in the claims mappings
    Classification The types of users that will be registering and logging into this identity provider.

    USER: Users that register in this identity provider will be consumers of apps and can install and enable apps. Typically this is the classification used for a marketplace site.
    DEVELOPER: Users that register in this identity provider will be developer of apps and create and submit apps. Typically this is the classification used for a partner portal site.
    USER_DEVELOPER: Users that register in this identity provider will be both consumers (can install and enable apps) and developers (can create and submit apps) of apps. Typically this is the classification used for hybrid site where any user can both consume and develop apps.

    Claims Mappings Claims mappings help sync the user data within JWT claims or the Userinfo endpoint to the user data stored in OpenChannel. For example, if the JWT contains information about the user’s email address then that email should be provided and saved to the user’s OpenChannel record. This will then allow you to configure the sending of automated email notifications to the user.

    Key: The OpenChannel field that this value will be saved as.
    Value: The attribute(s) within the JWT token or Userinfo endpoint.
    Field Type: The data type for this field
    Target: Whether this value should be applied to the individual user or the user’s organization.

    User/Developer Organization Type The type to automatically assign when a new organization is created
    User/Developer Account Type The type to automatically assign when a new individual’s account is created
    User/Developer Account Roles The role to automatically assign when a new individual’s account is created
    User/Developer Account Permissions Any additional permissions to automatically assign when a new individual’s account is created

    Configuration Examples

    Google SSO configuration

    This configuration will allow you to login to your marketplace or partner portal site using your google account.

    • Name: Google
    • Validation Mode: Authorization Code
    • Client ID: your Client ID from SSO provider
    • Client Secret: same thing here
    • Issuer URL: https://accounts.google.com
    • Grant Type: Authorization Code
    • Scope: openId profile email
    • Classification: USER (for a marketplace site) or DEVELOPER (for partner portal site)
    • Claims mapping:
      • accountId : {{sub}}
      • email : {{email}}
      • name : {{given_name}} {{family_name}}
      • username : {{name}}

    Okta SSO configuration

    This configuration will allow you to login to your marketplace or partner portal site using your Okta identity provider.

    • Name : Okta
    • Validation Mode: Authorization Code
    • Client ID: The OAuth clientId provided after setting up your marketplace or partner portal site as a service provider.
    • Client Secret: OAuth client secret provided after setting up your marketplace or partner portal site as a service provider.
    • Issuer URL: The provided issuer URL like: https://{your domain id}.okta.com
    • Grant Type: Aauthorization Code
    • Scope: openId profile email
    • Classification: USER (for a marketplace site) or DEVELOPER (for partner portal site)
    • Claims mappings:
      • accountId : {{sub}}
      • email : {{email}}
      • name : {{name}}