Configuring OIDC single sign-on SSO
- Get connection information from the IdP administrator.
Requisite Description Client ID Client ID used to connect to the OIDC IdP. Client Secret Client secret used to connect to the OIDC IdP.
When the IdP supports for a "discovery endpoint", collect that URL from the IdP administrator:
Requisite Description Discovery endpoint URL to the IdP discovery endpoint. For specification information about discovery endpoints, see https://openid.net/specs/openid-connect-discovery-1_0.html.
When the provider does not support a discovery endpoint, collect this information from the IdP administrator:
Requisite Description Issuer URL to the IdP issuer. JWKeyUrl URL to request the IdP's public key. Medallia Experience Cloud uses the key to verify the signature on the JWT ID token. Authorization Endpoint URL to perform OAuth authentication request of the user, and to provide the user with authorization. Token Endpoint URL to request an ID token from the OIDC server The token authenticates the user and includes information about the users, which can be used to create and/or identify the user's Experience Cloud account. User information Endpoint Determine how and what user information the IdP will provide. There are two ways for Experience Cloud to get the information
Retrieve it from the authorization the ID token provided by the Token Endpoint, or
Request it from the User Info Endpoint (if the service provides it)
By default, Experience Cloud identifies the user by a unique ID called a sub claim in the ID token. Optionally, the configuration may request the user's profile or email information, and if the server provides it, use that information to create and identify the account. OIDC profile information can include names and other personal information. To request the profile and/or email information, use the Email scope and Profile scope options.
- Configure the Medallia-side SP settings for the instance
- Process the response to identify the account
When the IdP sends an authorization, the Experience Cloud instance interprets the response to verify the account, and to optionally create or update an account if needed. There are two ways to process accounts based on the value in the response:
Verify existing accounts based on the Username or Company ID — This method only works when the claim value matches (case-insensitive) the value of an existing Username or Company Id.
Verify, update, and/or create accounts using an Auto Importer specification — This option is more flexible and can be used to process the ID value before performing the authorization activity. For example, the Username value must be lowercase, and an Auto Importer specification can process the assertion value to make it lowercase before performing a verification.