Hi everyone !
is there anyway to use O11 as an Idp for ODC. I want to have an app developed in ODC to which the users from our internal Portal (O11) can access using the same account. is this possible an can you please point me in the rigth direction in order to achieve this?
Thanks in advance and merry christmas to all :)
Hi Joao,
Im pretty sure that OS will come up with a supported solution for this in the near future, but it would not be too time consuming to build it on your own.
What you need to build is a minimalistic Idp on O11 side for the Authorization Code flow. A good documentation can be found here https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow.
Specifically you would need to expose a well-known discovery document containing information about the authorize and token endpoint. That is the one you would configure in ODC Portal then. It is an exposed REST endpoint.The authorize endpoint is a Login Page in O11 where the user inputs username and password (o11 username and password).After successful login the O11 login page would redirect the user to the ODC Portal redirect URI with an Authorization code in the URL. ODC then makes a POST request using this code to the token endpoint (another REST expose in O11). The token endpoint would then construct a JWT containing the openid profile and email claims, signs it and returns it to ODC which then performs the actual login. Meaning mapping an existing ODC user account or creating a new one.
StefanForge Components you will need* JWT - for constructing the Web token
* Crypto API for password hashing and token signing.
PS: In the long run you should consider a professional identity Provider that spans across both environments.
Hello,
I guess you can achieve this through a common external Identity Provider. For example, if you configure an IdP to be used by O11, you can make this same IdP available for an ODC app, each with their own connection steps.
Here are some links that can help you:
ODC:
Configuring authentication with external identity providers
Use external identity providers (IdPs) in an app
O11:
End Users Authentication
Integrate specific apps with Okta using SAML Exercise
That way I know it's possible but that would involve some sort of migration of my current o11 users. As I said in my question the objective is to use O11 itself as identity provider in ODC :)
I’m not sure this is possible. You see, O11 uses a built-in mechanism for authentication, while ODC comes bundled with Identity Service, a built-in Identity Provider (IdP), so both use a completely different version.
In other words, you want to expose O11’s authentication mechanism to ODC as an IdP, which I do not think is supported.
Hi João,
Without trying to toot my own horn, have you checked the talks from last ONE conference?
There’s a couple that might be exactly what you’re looking for:
To sum it all up, right now you can mostly do it using an SAML 2.0 IdP server running on O11 (there’s an IdPServer forge component you can use as the starting point) and, currently in EAP, there’s an OpenID Connect IdP Server that will be fully supported by OutSystems and the way forward regarding having O11 acting as the source for ODC users and authentication.
Hello Jorge !
Thank you for the tips and the help. I was part of an ITUp training Course called "O11 + ODC Interoperability" where it was referenced multiple times O11 could be used as Idp in ODC and was left under the impression that this was almost like setting up the O11 connector in ODC.
I'll have a look through the links you sent.Best regards and very happy holidays !
Hello João,In the OutSystems public page for Early Access Programs you can see that there is one ongoing for that capability, and you can apply to join:
https://www.outsystems.com/platform-unification/
I created a Forge component and wrote an article on that topic. See here https://without.systems/bridge-the-gap-outsystems-11-users-to-outsystems-developer-cloud for details.