Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Maestrano allows you to do single sign-on via OpenID. For that we give you the url of our OpenID provider to which you can connect using your favorite OpenID consumer library.

How to connect?

The only specificity of our OpenID endpoint is that it contains the application id (or api id) of the consumer (your application). This application id is obtained from the dev sandbox for testing or from the app provider dashboard we have created for you on maestrano.com (production + production sandbox).

Do I need to configure the Maestrano SDK in a certain way?

Yes - we need to be made aware of your return url to authorize it. "Hmm, this is weird for an OpenID provider...", yes indeed. We use OpenID because it is a popular protocol but restrict it to approved applications only.

In the Maestrano SDK, you need to configure the "app host" or "sso idp" to match the domain where customers will be returned to upon authenticating with Maestrano via OpenID.

It's actually good news!

Because we only work with trusted and verified providers, we do not need to interrupt the OpenID workflow to ask the customer if they authorize the website and accept to share their identity details. This eventually gives a more seamless single sign-on experience on first login. Click! Done!

You don't use the Maestrano SDK? Or cannot implement the metadata endpoint? Just contact us directly at developers@maestrano.com and we'll help you.

What data are available via OpenID?

Our OpenID provider returns both SREG and AX data, should you ask for it or not. SREG data are not really sufficient to properly perform service provisioning via single sign-on and we do not recommend using this extension. We have implemented it for completeness but you should use AX.

AX has a good base schema for consumer data but kind of lacks some attributes when it comes to business software. To fill the gap, we have extended the base AX schema with custom attributes under the maestrano namespace. The complete list of AX attributes is available below:

 

# User - Identification DescriptionFormat
'http://openid.net/schema/person/guid' User idunique across users
'http://openid.maestrano.com/schema/person/vguid' User virtual idunique across users and companies
   
# User - Contact Details  
'http://openid.net/schema/namePerson/first' First name 
'http://openid.net/schema/namePerson/last' Last name 
'http://openid.net/schema/contact/internet/email' Email addressunique across users
'http://openid.maestrano.com/schema/contact/internet/vemail' Virtual email addressunique across users and companies
   
# User - Location  
'http://openid.net/schema/contact/country/home' Country alpha 2 codeAlpha2 Code
'http://openid.net/schema/contact/city/home' City 
'http://openid.net/schema/timezone' TimeZoneOlson format / Tz database  
   
# User - Session (used for Single Logout)  
'http://openid.maestrano.com/schema/session/key' Session hash 
'http://openid.maestrano.com/schema/session/expiration' Next time to check session 
   
# Company/Group - Identification  
'http://openid.maestrano.com/schema/company/guid' Company Id 
   
# Company/Group - User Role  
'http://openid.maestrano.com/schema/company/role'User role in company"Member", "Power User", "Admin", "Super Admin"
   
# Company/Group - Contact  
'http://openid.net/schema/company/name'Company name 
'http://openid.maestrano.com/schema/company/email'Principal email address 
   
# Company/Group - Location  
'http://openid.maestrano.com/schema/company/country' CountryAlpha2 Code
'http://openid.maestrano.com/schema/company/city' City 
'http://openid.maestrano.com/schema/company/timezone' TimeZoneOlson format / Tz database

 

 

  • No labels