Single Sign-On with OpenID Connect
OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. It’s an alternative method used to enable Single Sign-On, which will allow end users to authenticate with their own organization’s Identity Provider (IdP) to access UserVoice. It is an alternative to using SAML 2.0 authentication and authorization protocol.
Our OIDC implementation makes use of the Authorization Code flow, and uses attributes sent via the request header (not the query-string).
Prerequisites
- OpenID Connect enabled Identity Provider
- A UserVoice plan that includes OpenID Connect
- UserVoice admin log-in
Step 1: Retrieving Information About Your IdP
Using your redirect URL, e.g. https://<subdomain>.uservoice.com/auth/oidc/callback, generate client credentials and retrieve endpoints from your IdP.
When you configure this URL in your IdP, you will be provided with a Client ID and Secret. This will be needed in later steps so make sure to take note of this information.
Precise steps to generate and obtain the following fields will vary between identity providers and your application. For this reason we aren’t able to provide detailed explanations in this generic guide. Please contact your IdP Admin if you require assitance.
Along with the Client ID and Secret, take note of the additional required attributes to be retrieved. Generally, this information will be located in the API documentation for your IdP:
- Provider base URL
- Authorization URL
- Token URL
- User info URL
- Token scope
- Email JSON path
- GUID JSON path
Step 2: Configuring UserVoice
- Navigate to UserVoice authentication settings and populate required fields from your Identity Provider. These can be found in Settings (bottom-left corner) → Web Portal → User authentication → Edit…
- Click the + next to OpenID Connect to add a new OIDC configuration.
- Enter the information that you collected from your IdP in Step 1 (note: Fields marked * are required).
Field Details
The fields outlined in this table can be obtained from your IdP when you connect and configure UserVoice within your account; however, this information is often found within the API Developer Documentation of the IdP.
| Field | Description |
|---|---|
| Client ID* | Identifies the client and must match the value preregistered in your IdP. |
| Client Secret* | Password associated with the obtained Client ID and Application registration. |
| Provider Base URL* | Location of the authorization server. |
| Authorization URL* | Starting point for browser-based OpenID Connect flows. |
| Token URL* | Location where an authorization token can be obtained. |
| User Info URL* | Returns claims about the authenticated user. |
| Token Scope* | This is typically an OpenID Connect Scope. Scope, openid is required for authentication requests. |
| Email JSON Path* | Location of the email attribute within the returned JSON object. |
| GUID JSON Path* | Location of the GUID attribute within the returned JSON object. The value returned must be unique for each user. |
| Name JSON Path | Location of the name attribute within the returned JSON object. |
| Avatar URL JSON Path: | The SED command for the UserVoice user’s profile image. |
| External Account JSON Path | Location of the Account ID attribute within the returned JSON object. This is used to pair the authenticated user with an existing Account. |
| Remote Logout URL | When used, this URL will sign the user out of UserVoice. |
| Button Label | Label for the sign-in button that’s visible on your web portal. |
| Button Icon | Upload an image that will serve as your sign-in button. |
Troubleshooting
If you have any questions or run into issues, please reach out to support@uservoice.com. Please include your Identity Provider and any error messages in your email. Thanks!