Single Sign-on for users

Single sign-on (SSO) allows your users to log in with the credentials of the customer's IAM solution. This is in contrast with users that have credentials that are stored in our IAM solution.

How does Conundra SSO work?

Our IAM solution uses the user's email domain to decide whether to ask for username/password, or to delegate to a customer's IAM solution. We only support OAuth 2.0/OIDC for SSO. The diagram below is a high-level representation of how this works:

OptiFlowConundra IAMCustomer IAMOAuth 2.0 authorization code flowPrompt for e-mailOAuth 2.0 authorization code flowUser authenticatesCustomer tokensConundra tokensOptiFlowConundra IAMCustomer IAM

How to set up SSO

  1. You make a request for SSO integration with your Conundra contact.
  2. Conundra provides a redirect URI you'll need to set up your OAuth 2.0/OIDC client.
  3. You set up everything on your end:
    1. Provision a client that Conundra IAM can use to start an OAuth 2.0 Authorization Code Flow.
    2. Securely share the client-id and client-secret together with your OpenID Connect Metadata Document endpoint .
    3. Tell us the domains that need to be linked to this Conundra IAM Identity Provider.
    4. Tell us if users with sub-addressing should be linked to this Conundra IAM Identity Provider.
  4. Conundra provisions the Identity Provider.

Note: there are some restrictions, make sure you understand these before making a request.

Restrictions for SSO

1 or more customer domains are bound to 1 Conundra space

A space is a logical group of users that can see each other's data (e.g. plannings, orders, ...). One user is always bound to a single space. When using SSO, a domain can only be bound to 1 Conundra space. It is possible to have multiple domains point to the same space.

Valid configuration

Copy
Copied
john.doe@acme.com   -> space ACME
joe.doe@acme.be     -> space ACME
jane.doe@acme.com   -> space ACME

Invalid configuration

Configuration below is invalid because the same domain ( @acme.com ) points to different spaces.

Copy
Copied
john.doe@acme.com   -> space ACME
jane.doe@acme.com   -> space ACME_TEST

Workaround

We can configure the Identity Provider to not link users with sub-addressing ( jane.doe+test@acme.com ) to another space.

Note that these "+" users will have to log in with credentials managed by Conundra IAM.

Copy
Copied
john.doe@acme.com        -> space ACME
jane.doe+test@acme.com   -> space ACME_TEST

Multiple SSO integrations for multiple Conundra spaces

Given John Doe has the following aliases in your IAM solution, following configuration is only possible if the sub claims in the access tokens are different for John Doe's aliases.

Copy
Copied
john.doe@acme.com        -> space ACME
john.doe@acme-test.com   -> space ACME_TEST

Authorization

By default, everyone that can log in via your OAuth 2.0 client has access to OptiFlow. If you have other needs, contact your Conundra contact.

Copyright © Conundra BV - PTV Logistics GmbH. All right reserved.