Use OpenID for SSO

Maestrano allows you to do single sign-on via OpenID. For that we give you the url of our OpenID provider to which you can connect using your favorite OpenID consumer library.

How to connect?

The only specificity of our OpenID endpoint is that it contains the application id (or api id) of the consumer (your application).

This application id is obtained from the developer platform configuration. By doing a GET call to https://developer.maestrano.com/api/config/v1/marketplaces using your environment API Key and API Secret, or directly using the SDKS.

{
	"marketplaces": {
		"nid": "application-nid",
		"marketplace": "application marketplace",
		"environment": "application environment linked to the marketplace",
		"app": {
// Information about the app
		},
		"api": {
			"id": "APP ID",
			"key": "APP KEY"
		},




EnvironmentOpenID Provider
Production + Production Sandboxhttps://api-hub.maestrano.com/api/openid/provider/<your-app-id>

Do I need to configure the Maestrano SDK in a certain way?

Yes - we need to be made aware of your return url to authorize it. "Hmm, this is weird for an OpenID provider...", yes indeed. We use OpenID because it is a popular protocol but restrict it to approved applications only.

In the Maestrano SDK, you need to configure the "app host" and "sso idp" as well as the "sso init_path" to match domain and the path where customers will be returned to upon authenticating with Maestrano via OpenID, 

It's actually good news!

Because we only work with trusted and verified providers, we do not need to interrupt the OpenID workflow to ask the customer if they authorize the website and accept to share their identity details. This eventually gives a more seamless single sign-on experience on first login. Click! Done!

You don't use the Maestrano SDK? Just contact us on our Support Desk.

What data are available via OpenID?

Our OpenID provider returns both SREG and AX data, should you ask for it or not. SREG data are not really sufficient to properly perform service provisioning via single sign-on and we do not recommend using this extension. We have implemented it for completeness but you should use AX.

AX has a good base schema for consumer data but kind of lacks some attributes when it comes to business software. To fill the gap, we have extended the base AX schema with custom attributes under the maestrano namespace. The complete list of AX attributes is available below:


# User - Identification DescriptionFormat
'http://openid.net/schema/person/guid' User idunique across users
'http://openid.maestrano.com/schema/person/vguid' User virtual idunique across users and companies



# User - Contact Details

'http://openid.net/schema/namePerson/first' First name
'http://openid.net/schema/namePerson/last' Last name
'http://openid.net/schema/contact/internet/email' Email addressunique across users
'http://openid.maestrano.com/schema/contact/internet/vemail' Virtual email addressunique across users and companies



# User - Location

'http://openid.net/schema/contact/country/home' Country alpha 2 codeAlpha2 Code
'http://openid.net/schema/contact/city/home' City
'http://openid.net/schema/timezone' TimeZoneOlson format / Tz database  



# User - Session (used for Single Logout)

'http://openid.maestrano.com/schema/session/key' Session hash
'http://openid.maestrano.com/schema/session/expiration' Next time to check session



# Company/Group - Identification

'http://openid.maestrano.com/schema/company/guid' Company Id (group_id to be used with Connec!™ API)eg: cld-64ba



# Company/Group - User Role

'http://openid.maestrano.com/schema/company/role'User role in company"Member", "Power User", "Admin", "Super Admin"



# Company/Group - Contact

'http://openid.net/schema/company/name'Company name
'http://openid.maestrano.com/schema/company/email'Principal email address



# Company/Group - Location

'http://openid.maestrano.com/schema/company/country' CountryAlpha2 Code
'http://openid.maestrano.com/schema/company/city' City
'http://openid.maestrano.com/schema/company/timezone' TimeZoneOlson format / Tz database


Examples

Rails

You may use this project as a first working example to test the access via OpenId. 

Simply update your host and IDM to be: http://localhost:1234

You can check the OpenID provider using the URL https://[MARKETPLACE_URL]/api/openid/provider/[APP_UID]

https://github.com/maestrano/rails-openid-demo

Java (Coming Soon)

An OpenId Controller in the demo app java is currently being developed to demonstrate the use of OpenId to do SSO.

https://github.com/x4d3/demoapp-java/blob/openid/src/main/java/com/example/OpenIdController.java