Learn how to set up OpenID SSO via third party Identity Provider for TrackTik. Setup guides for Microsoft's and Okta's IDP service are available separately.
Overview
You can leverage the OpenID standard capabilities of an Identity Provider to sign into TrackTik through a web or mobile device, so you and any related employees and colleagues can log in more conveniently.
Before you start
Here are some things you must consider and do before you start:
- You must have administrative credentials for your Identity Provider solution.
- Discuss with the TrackTik web application's main administrator (and/or internal TrackTik consultant) and ask which part of an employee's identity is unique and never repeating -- even commonly used to log in: the username, or the password.
- You must have the ability inspect and define if a user profile in your IDP system has a preferred_username key or not, and if it will be exposed inside the JWT ID Token, or via the User Info endpoint.
- You must be able to configure TrackTik's OpenID Redirect URL which will have the format: https://<tracktikportal>/auth/open-id
- You must know how to define and share with TrackTik your IDP solution's (or an application within the solution) Client ID and Client Secret.
- You must be able to identify and share with TrackTik the IDP's OpenID Discovery URL (so that TrackTik's solution will know how to redirect to your IDP's login interface, how to authenticate itself, and query the User Info endpoint if necessary for identity values such as the preferred_username).
The OpenID based process implemented at TrackTik
URLs and authentication information that both the IDP and TrackTik should capture
A TrackTik resource will provide the IDP administrator with the web portal's OpenID Redirect URL. It will look like: https://<tracktikportal>/auth/open-id
In return, the IDP administrator must give the TrackTik resource these details:
- Client ID
- Client Secret
- OpenID Discovery URL
Next the IDP administrator will configure their application for that redirect URL along with their handling of the preferred_username, matching on the same user profile item of email, username or domain username.
Finally the TrackTik resource will configure the TrackTik portal for the 3 values it's provided, and set the agreed upon user profile identity item to match on:
With all these steps completed, you may begin testing.
TrackTik's Login Form
There is currently no means of hiding TrackTik's login form, so to prevent employees from trying to log into TrackTik directly after an SSO integration, you can reset all employee passwords to a value they don't know. Speak with your Success Manager about how TrackTik can help with that effort as a bulk data change if necessary.