OpenID connect

The fulfillmenttools platform supports the OpenID Connect (OIDC) Protocol to support external Identity Providers (IdPs).

General documentation regarding OIDC can be found on the official OpenID Connect documentation. The OpenID Connect Protocol is generally supported by all major IdPs like Microsoft Entra ID (former Azure Active Directory / AD), Auth0, Keycloak, etc.

All IdPs require to create an OAuth Application which results in the following the data/credentials that must be supplied to the fulfillmentools platform:

clientId
clientSecret
issuerUrl
additional information might be required (these have to be extracted from the individual IdP's documentation)

Furthermore, configure groups and roles to enrich the auth token with role and group information. See the child pages for a step-by-step guide for an IdP.

Configure OIDC within fulfillmenttools

More OIDC-API information can be found here: REST API documentation - OIDC

To register an OIDC provider to the fulfillmenttools platform, perform the following REST API call:

POST https://{TENANT-NAME}.api.fulfillmenttools.com/api/configurations/oidcproviders

{
    "name": "My Provider",
    "status": "ACTIVE",
    "clientId": "my client id",
    "clientSecret": "my client secret",
    "issuer": "https://my-oidc-issuer.com",
    "customParameters": [],
    "assignedGroups": []
}

Some IdP vendors need customParameters to make SSO work. Consult the individual documentation of the IdP vendor for details.

Mapping roles to fulfillmenttools facilities

fulfillmenttools utilizes the groups feature of IdPs to map users to facilities. In the OIDC configuration of the fulfillmenttools platform these groups can be mapped to fulfillmenttools facilities ( assignedGroups). There is a mapping from the IdP groupIds to fulfillmenttools facilityRefs:

{
    ...
    "assignedGroups": [
        {
            "group": "idp-group-id",
            "facilityRefs": [
                "fft-facility-id"
            ]
        }
    ]
}

Last updated 8 hours ago