The following provides documentation on how to implement OpenID Connect Authentication in conjunction with Single Sign On (SSO) Authentication (only available on Enterprise plans). For directions on how to turn on Single Sign On Authentication start here.
OpenID Connect (Redirect Authentication Provider)
OpenID Connect is a newer protocol that builds on the well know OAuth2 protocol. Formstack uses OAuth2 in the majority of our integrations to access restricted resources on external services as an authenticated user. OpenID Connect builds on top of this authentication mechanism to provide a standardized way to discovery OAuth2 configuration settings and to retrieve user information for the authenticated user.
Formstack will use the discovery URL to get an authentication endpoint and will then redirect the authenticating user to that endpoint to continue authentication. Once the user is authenticated and authorizes Formstack to access their information, the user is returned to Formstack. Formstack will then use the user information endpoint returned from the discovery URL to get the email and other user information for the authenticating user.
Once Formstack has an email address, we search for the Formstack user and authenticate as that user. If a user is not found, the user information is used to create a new user under that account. When users are created this way, they have no account permissions and will need to be granted permission to Formstack resources.
Just like any OAuth2 configuration, OpenID Connect will require a client on the target external authentication system. Once the account owner has created an OAuth2 client, they will use the client settings and a discovery URL to configure the authentication provider. Other than having to register a client with the external authentication system, OpenID Connect's use of a discovery URL makes it very easy to setup.
This setting is the client ID for the client that the account owner created on the external authentication system.
This setting is the client secret for the client that the account owner created on the external authentication system.
This setting is the discovery URL for the external authentication system. During authentication, Formstack will use this discovery URL to get the OpenID Connect settings required for authentication.