Integration with External Identity Providers
This documentation shows the different information exchange that will need to occur between you and Opinum in order to setup SSO between Data Hub and your own Identity Provider.
Use cases
- You already have an IdP, and you want some or all of those users to access DataHub
- You want to have the full control over the user authentication (custom login process, MFA, ...)
- You want to integrate with more External IdP like Google, Facebook
- You want to keep the user passwords in your database (i.e. because of corporate security policies)
Protocol support
Opinum supports the following protocols:
- OAuth2 OpenId Connect
- Saml2
Those protocols are web standards and should be pretty easy to use with any modern IDP. In fact, we have clients using the following solutions:
- Microsoft Entra AD (formerly Azure Active directory)
- Azure Active Directory B2C
- Salesforce
But as mentioned above, any solution supporting one of those 2 protocols should be working.
In both cases, the information we need is similar.
Common requirements
Target App URL
When integrating an IDP, we always do it in the case of a certain application. For example, you might either want to link your IDP with Data Hub or for a custom application. In both cases, you will need a dedicated URL (even for Data Hub).
The full URL to the root of the application will then be necessary for Opinum in order to configure the routing. It's of of the scope of this documentation but please note that you will be required to produce and SSL certificate in order to protect the application.
Test user
The configuration being done on the Opinum side, we need to have access to at least 1 test user in order to validate the configuration.
[Optional] Claims Mapping
In some cases, there can be a need to map certain user informations contained in your IDP into Opinum systems. If that is a requirement, your IDP will need to pass those information to our systems as Claims. That configuration will be done with the Opinum team and based on the specific use cases.
OAuth2 OpenId Connect
What you need from Opinum
Once the login process is done (or the SSO flow), your IDP will need to redirect the user to a dedicated URI. This URI is called the RedirectUri.
In order to distinguish the traffic coming from the different IDP configurations we have, that URI is unique for each integration.
This URI will be provided to you in the beginning of the integration process with Opinum.
What Opinum needs from you
MetadataAddress
This is typically a URL exposed by your IDP that hosts what is called the "OpenId configuration". In most cases, that url is given for any application configuration you create in the IDP.
Client Informations
Namely the ClientId and the ClientSecret.
Those are the basic information that will allow our servers to communicate securely with your IDP during the login process.
Saml2
What you need from Opinum
Once the login process is done (or the SSO flow), your IDP will need to redirect the user to a dedicated URI. This URI is called the CallbackPath.
In order to distinguish the traffic coming from the different IDP configurations we have, that URI is unique for each integration.
This URI will be provided to you in the beginning of the integration process with Opinum.
What Opinum needs from you
Metadata Xml
Once you have configured the app in your IDP, you should be able to export a Metadata XML file. This file contains the information we need on our side to configure the interactions.
Please note that:
- In most cases, it will contain a certificate (not mandatory but recommended)
- From our experience, that metadata file is re-generated when modification are done in the IDP configuration. This means that we need the file to be exported at the end of the configuration and that if you modify the configuration later on, the integration might be broken up until we reconfigure the data at Opinum side.