OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. It’s an alternative method used to enable Single Sign-On, which will allow end users to authenticate with their own organization’s Identity Provider (IdP) to access UserVoice. It is an alternative to using SAML 2.0 authentication and authorization protocol.
Our OIDC implementation makes use of the Authorization Code flow, and uses attributes sent via the request header (not the query-string).
Prerequisites
- OpenID Connect enabled Identity Provider.
- A UserVoice plan that includes SSO.
- UserVoice Admin credentials.
Step 1: Retrieving Information About Your IdP
Using your Redirect URL, e.g. https://<subdomain>.uservoice.com/auth/oidc/callback, generate client credentials and retrieve endpoints from your IdP.
When you configure this URL in your IdP, you will be provided with a Client ID and Secret. This will be needed in later steps so make sure to take note of this information.
Precise steps to generate and obtain the following fields will vary between identity providers and your application. For this reason we aren’t able to provide detailed explanations in this generic guide. Please contact your IdP Admin if you require assistance.
Along with the Client ID and Secret, take note of the additional required attributes to be retrieved. Generally, this information will be located in the API documentation for your IdP:
- Provider base URL
- Authorization URL
- Token URL
- User info URL
- Token scope
- Email JSON path
- GUID JSON path
Step 2: Configuring UserVoice
- Navigate to UserVoice authentication settings, Settings (bottom-left corner) → General → User authentication → Edit…
- Click the + next to OpenID Connect (OIDC) to add a new OIDC configuration.
- Enter the information that you collected from your IdP and IdP's OIDC documentation in Step 1.
Note: Fields marked * are required.
Field Details
The field values outlined in this table can be obtained from your IdP; however, this information is often found within the API Developer Documentation of the IdP.
| Field | Description |
| Client ID* | Identifies the client and must match the value pre registered in your IdP. |
| Client Secret* | Password associated with the obtained Client ID and Application registration. |
|
Provider Base URL* |
Location of the authorization server. |
| Authorization URL* | Starting point for browser-based OpenID Connect flows. |
| Token URL* | Location where an authorization token can be obtained. |
| User Info URL* | Returns claims about the authenticated user. |
| Token Scope* | This is typically an OpenID Connect Scope or known as Scopes Supported. Scope, openid email profile is required for authentication requests. |
| Email JSON Path* | Location of the email attribute within the returned JSON object. |
| GUID JSON Path* | Location of the GUID attribute within the returned JSON object. The value returned must be unique for each user. |
| Name JSON Path | Location of the name attribute within the returned JSON object. |
| Avatar URL JSON Path: | The SED command for the UserVoice user’s profile image. |
| External Account JSON Path | Location of the Account ID attribute within the returned JSON object. This is used to pair the authenticated user with an existing Account. |
| Remote Logout URL | When used, this URL will sign the user out of UserVoice. |
| Button Label | Label for the sign-in button that’s visible on your web portal. |
| Button Icon | You can upload a small image which will be the icon seen by your end users. |
Troubleshooting
You can find SSO logs in the Admin Console in Settings → Web Portal → SSO Logs. These logs often contain information which will help you resolve the issue.
If you continue to have issues configuring OIDC SSO, please contact our Support team by clicking the Support bubble in the bottom-right of this page. Please include your IdP and any other relevant information in your message.