Use external identity providers to authenticate to fulfillmenttools

The fulfillmenttools platform supports the Open ID Connect (OIDC) Protocol to support external IDPs.

This page is outdated. Please go to our new documentation under https://docs.fulfillmenttools.com/documentation.

General documentation regarding OIDC can be found on the official documentation. In general the Open ID Connect Protocol is supported by all major IDPs like Microsoft Entra ID (former Azure Active Directory / AD), Auth0, Keycloak etc.

All of the IDPs have in common that you need to create an OAuth Application which results in the following the data / credentials which you need to supply to the fulfillmentools platform:

  • clientId

  • clientSecret

  • issuerUrl

  • additional information might be needed (these have to be extracted from your IDPs documentation)

Furthermore, you need to configure groups and roles to enrich the auth token with role and group information. See the child pages for step by step guide for choosen IDPs.

Configure OIDC Provider within the Fulfillmenttools Platform

to register an OIDC provider to the platform you just need to execute the following call:

curl -sSL -X POST 'https://your.api.fulfillmenttools.com/api/configurations/oidcproviders' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <TOKEN>' \
--data-raw '{
    "name": "My Provider",
    "status": "ACTIVE",
    "clientId": "my client id",
    "clientSecret": "my client secret",
    "issuer": "https://my-oidc-issuer.com",
    "customParameters": [],
    "assignedGroups": [
        {
            "group": "idp-group-id",
            "facilityRefs": [
                "fft-facility-id"
            ]
        }
    ]
}'

Some IDP vendors need customParameters to make SSO work. See your IDP vendor's documentation for details.

Custom Parameters for Microsoft Entra ID / Azure Active Directory

add this custom parameter in case you are using a Microsoft Entra ID / Azure Active Directory IDP to make sure, that only users of your tenant can login:

{
    "key": "tenant",
    "value": "the-azure-tenant-id"
}

Mapping roles to fulfillmenttools facilities

We utilize the groups feature of your IDP to map users to facilities. In the OIDC configuration you can also provide assignedGroups. There you give an mapping from your IDP groupIds to fulfillmenttools facilityRefs

Last updated