Custom SSO setup

OpenID Connect (OIDC) is a protocol built on top of OAuth that is used to obtain information about a user from another system that supports the protocol.

For full details on the protocol, see the OpenID Connect Core 1.0 specification.

Enabling OIDC on an app

To enable OIDC on an app, set the CUSTOM_OIDC app option to a JSON value with the following shape:

{
    "provider": "https://your-idp.example.com/<tenant-id>/v2.0/",
    "client_id": "<client-id-issued-by-idp>",
    "flow": "implicit",
    "unique_field": "sub",
    "username_field": "preferred_username",
    "email_field": "preferred_username",
    "firstname_field": "given_name",
    "lastname_field": "family_name",
    "auto_signup": true,
    "user_owner_of_new_accounts": 3,
    "provider_support_url": "https://your-idp.example.com/support",
    "provider_support_email": "support@your-idp.example.com",
    "post_logout_redirect_url": "https://your-app.example.com/"
}

Once the option is set, the standard login form is no longer shown. Users are automatically redirected to the provider URL where they authenticate with their own identity provider (IdP).

Configuration options

Required

• provider – URL of the identity provider (IdP).
• client_id – identifier of the application at the IdP (issued by the IdP).
• flow – the OIDC flow to use. Must be set to "implicit" — the only flow currently supported.

Optional

• unique_field – name of the claim returned by the IdP that uniquely identifies the user across logins. Used to link an IdP user to a GIS Cloud account. Defaults to the value of username_field.
• username_field – name of the claim mapped to the GIS Cloud username. Defaults to "email".
• email_field – name of the claim mapped to the user's email address. Defaults to "email".
• firstname_field – name of the claim mapped to the user's first name.
• lastname_field – name of the claim mapped to the user's last name.
• auto_signup – if true (default), accounts that do not yet exist in GIS Cloud are created automatically on first login. Set to false to disable.
• user_owner_of_new_accounts – user ID. If set, every newly registered account is assigned to this user.
• provider_support_url – IdP support URL shown to the user during signup or on auth errors.
• provider_support_email – IdP support email shown to the user during signup or on auth errors.
• post_logout_redirect_url – URL inside the GIS Cloud app the user is redirected to after a successful logout at their IdP.

Identity Provider setup

In addition to the app-side configuration, the IdP must be configured with a redirect URL for the application. If the redirect URL is not set, the IdP will reject the login request.

Set the redirect URL at the IdP to https://your-app.example.com/auth/oidc, replacing your-app.example.com with your GIS Cloud app's hostname.