Single sign-on with OpenID Connect

Anthony Pépin Updated by Anthony Pépin

The availability of this feature depends on your workspace's license or plan.

Opendatasoft allows access to your workspace to be managed through a single sign-on (SSO) authentication solution, and currently supports the OpenID Connect and SAML protocols.

For information on how to map your SSO groups to your Opendatasoft groups, see here.

Register your OpenID Connect provider on your workspace

  1. In your back office, go to Configuration > Signup, then click on the OpenID Connect tab.
  2. Activate the "Allow access for OpenID Connect users" toggle.
  3. Paste your provider discovery document into the "OpenID Connect provider information" field.
    This document should be formatted in JSON and can usually be retrieved from your provider endpoint. It must at least contain the following attributes:
    • issuer
    • authorization_endpoint
    • userinfo_endpoint
    • end_session_endpoint
    • jwks_uri
  4. If you would like to disable local user creation, making sure only existing users can connect to the platform through OpenID Connect, check the "Disable local user provisioning" checkbox.
  5. Input the application credentials associated with your Opendatasoft workspace.
    As you have registered your Opendatasoft workspace as an OpenID Connect client on your provider, you should get a pair of credentials, namely Client ID and Client secret.
    These credentials are used to authenticate requests made by the Opendatasoft platform on the provider endpoint.
    Copy these credentials in the "Client ID" and "Client secret" fields.
  6. If you would like to use JWT tokens to impersonate API calls on the Opendatasoft platform, check the "Enable direct authentication with JWT bearer tokens" checkbox.
  7. List optional additional scopes
    Scopes in OpenID Connect are used to define the set of information (claims) an application would like to receive about a connected user. By default, Opendatasoft uses the following scopes: openid, profile, and email. These scopes make it possible to authenticate a user and to retrieve their email, first name, and last name.
    You can use additional scopes to add claims as additional attributes in a user's profile and use them in datasets security filters
  8. List optional additional claims
    Claims are attributes that are collected during the authentication process and that describe the user. By default, Opendatasoft only stores the  claim. It is possible to store additional claims in the user profile. These claims can then be used in datasets security filters.
  9. Input the URL on which the user can edit their user profile on the identity provider. When set, a link to this URL will be shown to the user on their user account page. If left blank, no URL will be shown to the user on their account page.
  10. Customize the OpenID Connect login link text. If left blank, a localized default message will be displayed.

Register your workspace on your identity provider

The configuration of the identity provider is implementation-dependant, but it usually consists of specifying on the identity provider the value of the redirection URI, which should be under the form https://<YOUR WORKSPACE>/oidc/authenticate.

Some providers may support a pre-formatted configuration document in JSON format. This document can be downloaded from the following address: https://<YOUR WORKSPACE>/oidc/client_info

Single logout

The Opendatasoft platform supports single logout with OpenID Connect by means of the draft protocol OpenID Connect Back-Channel Logout.

How did we do?

Mapping your directory to groups in Opendatasoft (with SSO)

Single sign-on with SAML


Powered by HelpDocs (opens in a new tab)