OpenID connect

The fulfillmenttools platform supports the OpenID Connect (OIDC) Protocol to support external Identity Providers (IdPs).

General documentation regarding OIDC can be found on the official . The OpenID Connect Protocol is generally supported by all major IdPs like Microsoft Entra ID (former Azure Active Directory / AD), Auth0, Keycloak, etc.

All IdPs require to create an OAuth Application which results in the following the data/credentials that must be supplied to the fulfillmentools platform:

• clientId

• clientSecret

• issuerUrl

• additional information might be required (these have to be extracted from the individual IdP's documentation)

Furthermore, configure groups and roles to enrich the auth token with role and group information. See the child pages for a step-by-step guide for an IdP.

Configure OIDC within fulfillmenttools

To register an OIDC provider to the fulfillmenttools platform, perform the following REST API call:

POST https://{TENANT-NAME}.api.fulfillmenttools.com/api/configurations/oidcproviders

{
    "name": "My Provider",
    "status": "ACTIVE",
    "clientId": "my client id",
    "clientSecret": "my client secret",
    "issuer": "https://my-oidc-issuer.com",
    "customParameters": [],
    "assignedGroups": []
}

Mapping roles to fulfillmenttools facilities

fulfillmenttools utilizes the groups feature of IdPs to map users to facilities. In the OIDC configuration of the fulfillmenttools platform these groups can be mapped to fulfillmenttools facilities ( assignedGroups). There is a mapping from the IdP groupIds to fulfillmenttools facilityRefs:

{
    ...
    "assignedGroups": [
        {
            "group": "idp-group-id",
            "facilityRefs": [
                "fft-facility-id"
            ]
        }
    ]
}