In this article:
1. OpenID Connect (OIDC) Single Sign-On
2. How to Configure OIDC SSO in Businessmap
3. How to Provide Access to External Users (that are not part of your IdP)
Modern enterprises use a growing number of third-party services to improve efficiency and offer a seamless customer experience. With that comes a long list of user credentials that can put a strain on system administrators and IT support teams. This is where Single Sign-On (SSO) comes in to optimize the sign-in process. It offers an easy and secure way to log into different apps and systems with a single set of credentials.
1. OpenID Connect (OIDC) Single Sign-On
SSO works by establishing a connection between the party that holds the identity information that authenticates the user, called the identity provider (IdP), and the application or service the user wants to access, known as the service provider (SP). To secure the process, the IdP sends an assertion (such as SAML and OIDC standards) to authenticate the user for the SP.
In this article, we will focus on how to configure OpenID Connect SSO. We have a separate guide on how to configure SAML SSO.
OpenID is an identity layer on top of the OAuth 2.0 protocol that makes it possible to set up SSO using ID tokens. OpenID SSO simplifies user authentication and authorization across web applications, allowing you to effortlessly access multiple services without the need to repeatedly enter your login credentials.
Note: We use OAuth for authentication only. We have our own authorization that does not require access tokens.
2. How to Configure OIDC SSO in Businessmap
To set up OpenID SSO, you need to be an Account Owner or have the Manage Integrations privilege in Businessmap and have the necessary permissions to modify your IdP.
Here is the step-by-step process of connecting Businessmap with your Identity Provider (IdP).
1. In Businessmap, open the Administration panel and navigate to the Integrations tab.
2. Click on Applications and select OpenID Connect under the Single Sign-On section.
3. In the first field, Client id, enter the ID issued by your IdP during the registration process.
4. In the Client secret field, enter the secret key issued by your IdP to authenticate your application.
5. In the Issuer URL field, enter the URL of your IdP.
6. In the Redirect URL field, enter the URL where the user will be redirected after successful authentication — https://{{subdomain}}.kanbanize.com/oidc/auth.
7. In the Logout redirect URL field, enter the URL where the user will be redirected after successful logout, e.g. https://{subdomain}.kanbanize.com/oidc/logout.
8. Choose the login type from the available options in the dropdown menu:
- Disable Business login, only SSO login is applied for all users
- Allow Businessmap login for users with Account Owner privileges
- Allow Businessmap login for users with Manage Integrations privileges
- Allow Businessmap and SSO login for all users*
*This option is used to grant access to external users to your Businessmap Account. You can read more about it in pt.3.
9. Custom user provisioning is permanently enabled for OIDC SSO which includes enabling and updating users after their successful log-in authentication.
10. You can choose to automatically create Businessmap users if there is an unregistered email upon login. If disabled, you first need to send a Businessmap email invitation to the user so they can log in to the system using the SSO flow. By default, this option is enabled.
11. After you have configured your IdP data, click on the Save settings button. Navigate back to the page and slide the OpenID Connect toggle to enable it.
3. How to Provide Access to External Users (that are not part of your IdP)
If you have third-party contractors or consultants that are not part of your IdP, you can grant them access both with and without SSO.
That way, external users will have to go through the central login page:
https://businessmap.io/user-login
Internal users (members of the IdP) can use the SSO flow by going through your account's dedicated login page, i.e.:
https://subdomain.kanbanize.com
Account Owners will need to send invitations to the external users from the Administration Panel. These users will receive an invite link to register and create their Kanbanize credentials.
Note: If the option for login from both systems is not enabled, the invited external users will be able to access the system only the first time they are invited, and after logging out, they will be forced to use the SSO only. This could be used as temporary one-time access only for consultants or 3rd party users who do not need to re-enter the system.
If you face any difficulties during the setup process, do not hesitate to contact us at support@businessmap.io.
These are the general steps for configuring OpenID Connect with any Identity Provider. In the related articles below, you can find step-by-step tutorials for enabling SSO with Microsoft Entra ID, OneLogin, and Okta as your IdP and for managing user provisioning with OIDC integration.
Related articles: