Configuring OIDC single sign-on SSO

OpenID Connect (OIDC) is a standard protocol for authenticating users during inbound single sign-on (SSO). OIDC is a special, simplified case of OAuth; it is a way of using OAuth for SSO. Medallia Experience Cloud is a server side application that supports OpenID Connect authentication using the authorization code flow. These instructions detail how to configure Medallia Experience Cloud as a service provider (SP) using OIDC to authenticate users via the company's single sign-on identity provider (IdP).

Note: For detailed information about the protocol for OIDC authorization code flow, see the OpenID Connect Core 1.0 incorporating errata. Medallia Experience Cloud supports the authorization code grant flow for signing in users via OIDC. For information about using OAuth for SSO, see OpenID Connect FAQ and Q&As.

Get connection information from the IdP administrator.


Requisite	Description
Client ID	Client ID used to connect to the OIDC IdP.
Client Secret	Client secret used to connect to the OIDC IdP.

When the IdP supports for a "discovery endpoint", collect that URL from the IdP administrator:


Requisite	Description
Discovery endpoint	URL to the IdP discovery endpoint. For specification information about discovery endpoints, see https://openid.net/specs/openid-connect-discovery-1_0.html.

When the provider does not support a discovery endpoint, collect this information from the IdP administrator:


Requisite	Description
Issuer	URL to the IdP issuer.
JWKeyUrl	URL to request the IdP's public key. Medallia Experience Cloud uses the key to verify the signature on the JWT ID token.
Authorization Endpoint	URL to perform OAuth authentication request of the user, and to provide the user with authorization.
Token Endpoint	URL to request an ID token from the OIDC server The token authenticates the user and includes information about the users, which can be used to create and/or identify the user's Experience Cloud account.
User information Endpoint	Determine how and what user information the IdP will provide. There are two ways for Experience Cloud to get the information Retrieve it from the authorization the ID token provided by the Token Endpoint, or Request it from the User Info Endpoint (if the service provides it) By default, Experience Cloud identifies the user by a unique ID called a sub claim in the ID token. Optionally, the configuration may request the user's profile or email information, and if the server provides it, use that information to create and identify the account. OIDC profile information can include names and other personal information. To request the profile and/or email information, use the Email scope and Profile scope options.

Configure the Medallia-side SP settings for the instance
Process the response to identify the account
When the IdP sends an authorization, the Experience Cloud instance interprets the response to verify the account, and to optionally create or update an account if needed. There are two ways to process accounts based on the value in the response:
- Verify existing accounts based on the Username or Company ID — This method only works when the claim value matches (case-insensitive) the value of an existing Username or Company Id.
- Verify, update, and/or create accounts using an Auto Importer specification — This option is more flexible and can be used to process the ID value before performing the authorization activity. For example, the Username value must be lowercase, and an Auto Importer specification can process the assertion value to make it lowercase before performing a verification.

The instance is now configured to use OIDC for single sign-on.