Saviynt supports generation of API Access Token generation using OpenID Connect (OIDC). This API Access Token is required to authenticate the request while invoking Saviynt REST API.
The API Access Token will be generated based on the Saviynt SAV role associated with username present in OIDC token. Say, if the user in OIDC token is end user with EndUser SAV role, then token access may be limited to access defined in EndUser Sav role such as invoke submit request APIs. However, for the same ODIC integration if another user has Admin Sav role then token will have access to more APIs.
Thus, it enhances security by limiting access to Saviynt API based on logged user.
Saviynt v5.5 SP3 and above supports the OIDC authorization code flow, it is recommended to use this flow as it is more secure than implicit flow
Scenario: The customer application integrates with application to fetch user information/update/create request in Saviynt using Saviynt REST APIs. In order to generate Saviynt’s AccessToken (for API authentication) OIDC is implemented using a third-party OpenID provider.
This example has following three main entities:
Step 1: User access the customer application, which fetches user information from Saviynt using Saviynt REST API. To generate Saviynts AccessToken OIDC authorization code based option is implemented
Step 2: Application redirects to OpenID provider authorization url (such as okta) to send the one time code. Refer sample url
Note, Saviynt redirect url is https://<hostname>/ECM/login/openidSuccess
Note, the scope parameter value should be “openid profile”
Step 3 and 4: The Openid Provider generates the one time code and send it as query parameter to the redirect uri configured in IDP. Refer sample url below:
Step 5: Saviynt construct a request using code and client Id and Secret configured in Saviynt and send it to OpenID provider token generation url
Note – the IDP client Id, secret and token generation URL should be configured in Saviynt config file
Step 6: The OpenID provider validates the information and, in the response, sends the ID token which contains the username or any other user attribute that will be used to map Saviynt user attribute.
Step 7: Saviynt validates the user in its own repository, if found identifies the associated SAV role and based access linked to Sav role generates the AccessToken and in the response sends AccessToken and RefreshToken pair.
This token can be used by application to authenticate subsequent API requests.
Saviynt (as Replying party) Saviynt will need following information from OpenID Provider:
IDP Authorization server URL that generates the authorization code
IDP Token generation URL that generates the OIDC ID Token
User mapping attribute to uniquely map the user in ID token and Saviynt user identity
Once the above information is available, need to contact Saviynt support to update in Saviynt configuration
Openid Provider will need following information: