Single Sign-On - OpenID Connect

R-Service can act as a relying party that requests user authorization from an OpenID Connect Provider.

OpenID Connect Single Sign-On Transaction Steps

Single Sign-On Transaction Steps

The image above illustrates the following 10 steps that complete one OpenID Connect SSO transaction:

  1. The user attempts to access the R-Service account of his/her organization using a browser application such as Microsoft Internet Explorer, Google Chrome, etc.

  2. R-Service looks up the settings of the R-Service account of the user’s organization and sees that SSO has been configured in this account. That is why, rather than prompting the user for an email address and password, R-Service generates an OpenID Connect authentication request. R-Service then encodes this authentication request and embeds it into a redirect URL that is intended for the SSO service of the identity provider that the user’s organization uses.

  3. R-Service sends the redirect URL to the user’s browser.

  4. The user’s browser redirects to the identity provider’s SSO service.

  5. The identity provider processes the authentication request. This means the identity provider will ask the user to authenticate. If this is the first time the user is asked to authenticate to access R-Service the user may be asked by the identity provider to provide consent that R-Service is allowed to view user information such as name and email address.

  6. Once the user has provided consent and has authenticated, the identity provider generates a response that contains an authorization token.

  7. The user’s browser forwards the authorization token to R-Service.

  8. R-Service sends a request directly to the identity provider (bypassing the user’s browser), requesting the identity provider to exchange the authorization token for an ID token that identifies the authenticated user.

  9. The identity provider returns an ID token and other identifying information.

  10. R-Service validates the response and checks it against (amongst others) CSRF and replay attacks. If the ‘Allow JIT provisioning’ field is enabled for the SSO configuration of this account, the JIT End User Access Provisioning functionality is triggered to automatically generate a new person record if one does not yet exist with the user’s email address, or to automatically update the user’s person record in R-Service.
    After that, R-Service redirects the user to the destination URL within the R-Service account of the user’s organization. The user is now logged in to R-Service.

How to Enable OpenID Connect SSO for R-Service

To make OpenID Connect SSO work for an organization’s R-Service account, the R-Service account owner will need the following information:

This information can then be entered by the R-Service account owner in the Single Sign-On section of the Settings console.

Single Sign-On Configuration

Once SSO has been enabled, the account owner can check whether it works by logging out of R-Service and subsequently trying to access R-Service again by going to the URL of the R-Service account. If the account owner is already logged in to the identity provider, R-Service nor the identity provider should no longer ask for an email address and password. Instead, the account owner is directly taken to the R-Service inbox.