OpenID Connect

The fulfillmenttools platform supports the OpenID Connect (OIDC) protocol to integrate with external Identity Providers (IdPs).

General documentation regarding OIDC is available from the official OpenID Connect documentation. The OIDC protocol is supported by most major IdPs, such as Microsoft Entra ID (formerly Azure Active Directory), Auth0, and Keycloak.

All IdPs require the creation of an OAuth application. This process provides the following data and credentials, which must be supplied to the fulfillmenttools platform:

• clientId

• clientSecret

• issuerUrl

The IdP's documentation may specify additional required parameters. Furthermore, groups and roles must be configured within the IdP to enrich the authentication token with the necessary authorization information. Refer to the child pages for step-by-step guides for specific IdPs.

Configure OIDC within fulfillmenttools

To register an OIDC provider with the fulfillmenttools platform, use the following REST API endpoint:

POST https://{YOUR-TENANT-NAME}.api.fulfillmenttools.com/api/configurations/oidcproviders

{
    "name": "My Provider",
    "status": "ACTIVE",
    "clientId": "my-client-id",
    "clientSecret": "my-client-secret",
    "issuer": "https://my-oidc-issuer.com",
    "customParameters": [],
    "assignedGroups": []
}

Map IdP groups to fulfillmenttools facilities

fulfillmenttools utilizes the groups feature of IdPs to map users to facilities. In the fulfillmenttools OIDC configuration, these groups are mapped to facilities using the assignedGroups array. The mapping connects an IdP group ID to one or more fulfillmenttools facility references (facilityRefs).

{
    ...
    "assignedGroups": [
        {
            "group": "idp-group-id",
            "facilityRefs": [
                "fft-facility-id"
            ]
        }
    ]
}