This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

How to use OpenID Connect (OIDC) to generate Saviynt API Access Token

Rishi
Saviynt Employee
Saviynt Employee

on ‎05/08/2023 03:47 PM

 

Use Case

Saviynt supports generation of API Access Token generation using OpenID Connect (OIDC). This API Access Token is required to authenticate the request while invoking Saviynt REST API.

Pre-requisites

  • A third party Identity provider (IDP or OpenID provider) is required which support OIDC specification. The role of the IDP is to authenticate the user session and provide the OIDC Token which is used by Saviynt to generate the API Access Token.
  • The OIDC integration does not involve any service account and relies on IDP client ID & secret to communicate.

  • The API Access Token will be generated based on the Saviynt SAV role associated with username present in OIDC token. Say, if the user in OIDC token is end user with EndUser SAV role, then token access may be limited to access defined in EndUser Sav role such as invoke submit request APIs. However, for the same ODIC integration if another user has Admin Sav role then token will have access to more APIs.

    Thus, it enhances security by limiting access to Saviynt API based on logged user.

  • Once the AccessToken is generated, it can be used by the customer application to invoke subsequent Saviynt APIs.

Applicable Version(s)

Saviynt v5.5 SP3 and above supports the OIDC authorization code flow, it is recommended to use this flow as it is more secure than implicit flow

Solution

Scenario: The customer application integrates with application to fetch user information/update/create request in Saviynt using Saviynt REST APIs. In order to generate Saviynt’s AccessToken (for API authentication) OIDC is implemented using a third-party OpenID provider.

This example has following three main entities:

  1. Third party application that needs to invoke Saviynt API to get user data.
  2. Saviynt application which is acting as Relying Party
  3. Customer IDP which is acting as OpenID provider
Refer below flow to understand how OpenID flow will be utilized to generate Access Token

OIDCFlow.jpg

 

STEPS:

Step 1: User access the customer application, which fetches user information from Saviynt using Saviynt REST API. To generate Saviynts AccessToken OIDC authorization code based option is implemented

 

Step 2: Application redirects to OpenID provider authorization url (such as okta) to send the one time code. Refer sample url

https://xxxx.zzzzz.com/oauth2/default/v1/authorize?client_id=xxxxxxxxxxxxxxxx&redirect_uri=https%3A%...

Note, Saviynt redirect url is https://<hostname>/ECM/login/openidSuccess

Note, the scope parameter value should be “openid profile”

 

Step 3 and 4: The Openid Provider generates the one time code and send it as query parameter to the redirect uri configured in IDP. Refer sample url below:

https://xxxxx.saviyntcloud.com/ECM/login/openidSuccess?code=xxxxxxxxxxxxxxxxxxxxxxxx&state=login

 

Step 5: Saviynt construct a request using code and client Id and Secret configured in Saviynt and send it to OpenID provider token generation url

Note – the IDP client Id, secret and token generation URL should be configured in Saviynt config file

Step 6: The OpenID provider validates the information and, in the response, sends the ID token which contains the username or any other user attribute that will be used to map Saviynt user attribute.

Step 7: Saviynt validates the user in its own repository, if found identifies the associated SAV role and based access linked to Sav role generates the AccessToken and in the response sends AccessToken and RefreshToken pair.

This token can be used by application to authenticate subsequent API requests.

Information needed to configure OIDC

Saviynt (as Replying party) Saviynt will need following information from OpenID Provider:

  • Client Id

  • Client Secret

  • IDP Authorization server URL that generates the authorization code

  • IDP Token generation URL that generates the OIDC ID Token

  • User mapping attribute to uniquely map the user in ID token and Saviynt user identity

Once the above information is available, need to contact Saviynt support to update in Saviynt configuration

Openid Provider will need following information:

  • Saviynt Redirect url
  • User attribute that will be used to map user between OpenID provider and Saviynt
  • State parameter value
0 Kudos
Version history
Last update:
‎05/08/2023 03:47 PM
Updated by:
Saviynt Employee
Contributors
Copyright © 2023 Khoros, LLC