OpenID Connect Authentication¶
With OIDC (OpenID Connect) authentication, an external IDP (Identity Provider) can be used to authenticate users in Lime Marketing.
The OpenID Connect flow used is the Authorization Code Flow Model. More info here
Examples of IDP that support the OpenID Connect Authorization Code Flow Model are:
- Entra ID (Azure AD)
- Okta
- Auth0
How it Works¶
Authentication¶
When OIDC is configured for a Lime Marketing application, the normal email/password login page is no longer available. All logins will be redirected to the configured IDP. Successful logins will be allowed to log into Lime Marketing if a user in the Lime Marketing database has been configured with a unique external id matching the id for the user in the IDP. Since the user must exist in Lime Marketing, an administrator in Lime Marketing needs to configure the external id for the user found in the IDP.
In the scenario that a user is authenticated with the IDP but no mapping to a Lime Marketing user exists an error will be shown with the external id of the user instructing them to reach out to an administrator to configure their Lime Marketing user.
External id only to be used with IDP
A Lime Marketing user with an external id can only by used to login via the IDP. Normal email/password login wont work regardless if OIDC login is enabled or not.
Just-In-Time User Provisioning (optional)¶
When an authenticated user with the IDP tries to log in but no matching Lime Marketing user exists - that user can be automatically created.
Lime Marketing tries to create a new user using the configured email claim and/or the firstname and lastname claims if possible.
If no other user with an identical email address and external id exists - a user is created and automatically logged in. The new user has least permissions possible. An administrator need to configure correct permissions.
To handle duplicates of emails and already existing users, a manual process is needed initially.
Continuous Auto Refresh (optional)¶
When a user is unassigned from an IDP application, already started sessions in Lime Marketing will continue working. The only check if a user is valid is done at login.
Lime Marketing sessions have a sliding expiration. As long as the user is active, the session will live on even if the user has been unassigned in the IDP.
To better detect and prevent users from having continued access to Lime Marketing in this scenario, Lime Marketing can be configured to refresh the credentials using a refresh token with IDP. If the refresh fails, the session is deactivated.
End Session (optional)¶
By default, when a user actively signs out from Lime Marketing, the session in Lime Marketing is deactivated but the user is still logged in with the IDP.
When using this option (and if the IDP supports it), the user is also signed out from the application in the IDP.
Configuration¶
IDP¶
All IDPs that support the Authorization Code Flow Open ID Connect standard can be used for authentication of users. With the IDP, configure an application for the Authorization Code Flow.
Information you need from the IDP are¶
Open ID URI
The base URI to the IDP OIDC functionality. This can be found in the IDP. To test the URI, it should be possible to add /.well-known/openid-configuration to the end of the URI and use in a browser to get the IDP configuration. Example https://login.microsoftonline.com/<tenantid>/v2.0 or https://<accountid>.okta.com
Client id/Application id The identifier of the application in the IDP.
Client secret Create a shared secret in the IDP.
Information you need to configure with the IDP¶
Allowed Sign-in redirect URI
The URI to the Lime Marketing application using IDP for authentication. Normally https://app.bwz.se/<customer>/auth/oidc/callback. Replace <customer> with the current customer.
Allowed Sign-out redirect URI
Only required when using the end session flow option (configurable)
The URI to the Lime Marketing application using IDP for authentication. Normally https://app.bwz.se/<customer>/logout. Replace <customer> with the current customer.
Permissions/scopes Configure the application permissions to allow the scopes
- openid
- profile
- offline_access (only required when using the auto refresh token option (configurable))
Lime Marketing¶
| Option | Required | Description |
|---|---|---|
| issuerUri | ✔ | Base URL to the IDP. Found in IDP configuration. You should be able to append /.well-known/openid-configuration to this URL and get the document discovery response. |
| clientId | ✔ | Identifier of the application within the IDP. Found in IDP configuration. |
| clientSecret | ✔ | Shared secret used by Lime Marketing to authenticate with the IDP in the Authorization Code Flow. Found in IDP configuration. |
| useJITProvisioning | true/false to use automatically provision users | |
| useAuthRefreshAccessToken | true/false to have Lime Marketing refresh user credentials at an interval. Useful to distribute authentication changes from IDP to Lime Marketing to deactivate sessions for Lime Marketing user that no longer should have access. | |
| useEndSessionFlow | true/false to have Lime Marketing logout via the IDP to also have the user logged out at the IDP as well as Lime Marketing | |
| idTokenMappingClaimExternalId | ✔ | The claim holding the user immutable identifier with the IDP (sub). Is used to map the IDP user to a Lime Marketing user. |
| idTokenMappingClaimEmail | The claim holding the email address (email). Required when using JIT provisioning |
|
| idTokenMappingClaimFirstName | The claim holding the firstname (given_name) |
|
| idTokenMappingClaimLastName | The claim holding the lastname (family_name) |
|
| autoRefreshAccessTokenIntervalMinutes | How often to refresh the token with the IDP in minutes. Required when using Auto refresh access token. |
Get Started in Lime Marketing¶
- Activate the feature switch
UserExternalIdby reaching out to support - Update all existing Lime Marketing users external id property with the id found in the IDP for the corresponding user. Users with a external id will no longer be able to login via the email/password login. Atleast one admin user need to have an external id set before activating OIDC. (Optionally let users get the error message to contact the administrator with their external id)
- Switch authentication method to use the IDP for login by reaching out to support