Setting up Single Sign-On with OpenID Connect (OIDC)

Contents

 

Initial setup

If you have OpenID Connect (OIDC) as your Single Sign-On (SSO) method, the following steps provide information to assist in implementation.

Firstly, provide your Onboarding Consultant or Service Desk with the following:

  1.  A link to your OIDC configuration
    • The link usually ends with /.well-known/openid-configuration
  2. A client ID and a secret for configuring the client
    • Inspera uses the token-path for the OIDC

On your side, you need to: 

  1. Register the callback-path for the Inspera client: https://sso.inspera.com/oidc/login
    • Note: Inspera currently only supports auto-creation of candidate users. Admin users need to have registered the email address Inspera receives in the user-info-field for the OIDC-auth type. This is because Inspera has not defined the specific location within the OIDC data to find the roles for the new Admin user.
  2. Specify the Redirect URLs where the Identity Provider will send the user after authentication. This should match the callback URL in the Inspera application.
Click here to get more information about the Identity Provider's (IdP) token API and how it might look like.

The response from the Identity Provider's (IdP) token API in OpenID Connect (OIDC) typically includes access tokens, ID tokens, and possibly refresh tokens. The following is a simplified example of what an OIDC IdP token API response might look like:

{

  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",

  "token_type": "Bearer",

  "expires_in": 3600,

  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",

  "refresh_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

}

id-token decoded -

Inspera enables the mapping of data from either the id-token or user-info to any field in the externaluser-object, forming the basis for the login and user creation processes.

 

If all fields are mapped from the id-token, there is no need to call the user-info endpoint.

 

For example, in an OIDC-login using Google login, only one usable value, the 'pid,' will be passed back, which will be used as the externalid. The OIDC configuration mapping for such a case would look like this:

"mappings" : [

"email:noMap",

"firstName:noMap",

"lastName:noMap",

"externalId:idToken:pid",

]

Information: Inspera is not limited to using only the email address as the externalid. Inspera has the flexibility to select any uniquely identifying string from either the id-token or the userinfo-response as the externalid. The externalId can take various forms, such as email, username, userid, SSN, or any other unique identifier. If you want a different ID than the default one, please inform your Inspera representative or the Service Desk  in advance of the setup.

The default mappings, as per the Google setup, are as follows:

  • mail = userinfo:email
  • first name = userinfo:given_name
  • last name = userinfo:family_name
  • externald = userinfo:email

However, if the id-token contains all this information, it's recommended to override these mappings to avoid the need for a callback to fetch user-info. Please check this in your setup and provide Inspera with this information.

 

 

Inspera suggests that you also include at least both names for the candidate users, as those are used to display the candidate names (given_name & family_name) after they have logged into Inspera Assessment.  If desired, candidate names can also be used to de-anonymize the candidates before the test or after the marking. Refer to the following articles for more information about de-anonymizing candidates:

 

Customization on the login page

Once your Single Sign-On (SSO) integration is set up on Inspera’s end, a Generic SAML login-button will appear on your login page.

You are able to customize both the text in that button as well as add a logo. You can find the technical constraints specified in the article Customizations Within Inspera.

You may send Inspera your desired text and logo upon initial setup, or anytime after setup.

 

After setup - connecting admin users

To complete the SSO setup for administrative users, you will need to login in with your registered user credentials, go to User Administration and update the admin users within Inspera Assessment by entering the identifier you have set on your side into the field SSO external userid.

The identifier is the value you have set in the attribute email available in the user-info response. This is unless you have requested a different string to be used as the externalid in your setup.

Note: This must be done to each admin user in order for them to login with SSO.

 

Candidate setup 

Inspera recommends that you have test students/candidates to test the Single Sign-On (SSO) setup on the candidate login page. 

Candidates can  be added on test level either by using CSV import or by using a test code. For more information on how to add candidates to tests, refer to the articles Candidate setup - CSV Import (SSO) and Assign learners by test code.

 

Frequently Asked Questions (FAQ)

SSO has been setup, but when logging in as an Admin user, I received the error message “No admin user found”. How do I fix this?

Answer:

This usually means that you have not entered the SSO external userid in the corresponding Admin user’s profile as described in After setup - connecting Admin users. Follow the steps in that section and try logging in again.

If you still receive the error message, that usually means that the ID entered is incorrect. Please note that this field is case-sensitive.

Artikler i denne seksjonen

Var denne artikkelen nyttig?
0 av 0 syntes dette var nyttig