babelforce solution for SSO levarages openid connect. This is a well-known standard for web-authentication (authN). openid connect is a layer on top of oauth2 which is used for authorization (authZ). To learn more about openid connect, please follow this link.
In order to use babelforce SSO, you need to have an identity provider (e.g. an IAM) that implements openid connect.
For the easiest use case, we suggest to use the standard claim email as unique identifier.
How it works
From your system's perspective, babelforce is a client to your identity provider. Even though this might sound not intuitive at first sight, however, babelforce must be the relying party to your identity provider. Only this way, your users can login with their regular credentials or reuse their already existing login.
As soon as your user is authenticated by your identity provider, babelforce uses the provided id token to identify the user. If this user is then available in babelforce, access is granted to the configured parts within babelforce.
The process in details
(1) user opens the babelforce SSO page
(2) babelforce retrieves the redirect URI to the identity provider from the SSO settings and redirects to the identity provider
(3) the identity provider is logging in the user
- User is not logged in, therefore user has to provide valid credentials to the identity provider
- User is already logged in
- User access is denied
(4) If logging in was successful, identity provider is redirecting user to babelforce. The identity provider sends the necessary parameters that are needed to complete step (6)
(5) Parameter are send to babelforce backend and validated
(6) Based on the sent parameters from step (4) and other secrets, babelforce obtains an id-token from the identity provider which represents the user's identity
(7) babelforce takes the in step (6) obtained id token and tries to match this identity with an identity known to babelforce (e.g. the email of an agent user in babelforce)
(8) If this was successful, the user is logged into babelforce
To see how SSO can be implemented, we have two examples prepared