OpenID

OpenID is an open standard that provides user authentication (identity) features and is built upon OAuth 2.0 flows. Like SAML, it uses an external identity provider (IdP) to authenticate the user and enables single sign-on (SSO). While there are several underlying technical differences between SAML and OpenID, the most important differences are that OpenID is a lighter-weight protocol and requires explicit user consent to access as part of its communication flows.

OpenID satisfies requirements for identity and access in the following ways:

• Authentication - The user logs into the identity provider's server that, in turn, authenticates the user and generates a Token ID confirming the user's identity. This token ID is returned to Devo as an encrypted JSON web token. 
• Authorization - The request to the identity server includes a scope parameter that specifies the level of access to domain resources as dictated by the user's role in Devo.

Setting up OpenID user authentication

1. Go to the Authentication tab in Preferences → Domain Preferences.
2. In the OpenID tab, select the Active checkbox.

3. These are the fields that you will see in the form:

   Home URL	You will need to copy this for when you set up access on the IdP account, outside Devo. After setting up the Open ID authentication, users will access this URL and will be redirected to the IdP site to enter their credentials.
   Client Id and Client secret	Credentials that Devo will use to authenticate API communications with the IdP server. These are generated by the IdP when you register Devo as an app in your IdP account.
   Identity provider URL	This is the secure HTTP URL where Devo needs to direct its requests for authorization (sometimes called the Authorization endpoint). You should copy this from your IdP account.
   Token URL	This is the secure HTTP URL where Devo needs to direct its requests for token IDs (sometimes called the Token endpoint). You should copy this from your IdP account.
   User provisioning	Select this checkbox if you want users not registered in the domain to be signed up when they enter their credentials for the first time. They will be assigned the No Privileges role.

4. After generating the required values in your IdP and entering them in this form, click Update to finish the process. Users will now be able to login to their Devo domains using the IdP credentials.

Example: Use Google as an IdP to set up OpenID

Follow these steps if you want users to log in to Devo using their Google credentials

1. First, go to the Preferences → Domain Preferences → Authentication, open the OpenID tab and select the Active checkbox.

2. Now, create or open a project in the Google Cloud Platform.

3. Go to the OAuth consent screen to select the privacy level of the application. Choose Public if you want any user with a Google account to access the redirect URI, or Private if you want only users in the Devo organization to access it. You must also enter an Authorized domain (devo.com).
4. Now go to Credentials to create your project's OAuth 2.0 credentials, clicking Create credentials → OAuth client ID → Web application. In this screen, set the redirect URIs that determine where to send the responses to your authentication requests. You must enter the URL of the Devo cloud corresponding to your region, followed by /devo/openid/.

5. A window will appear showing your client ID and secret. Copy and paste them in the corresponding fields in Devo.

6. Finally, enter the following values in the remaining fields: 

   Identity provider URL	https://accounts.google.com/o/oauth2/v2/auth
   Token URL	https://oauth2.googleapis.com/token
   Identity info query URL	https://openidconnect.googleapis.com/v1/userinfo

7. If you check the User provisioning option, users not registered in the domain that access the URL will be automatically registered after authenticating with their Google credentials. Note that you must set the level of privacy to Public to allow external users to access the URL.
8. Click Update. Now, users will be able to connect to the Devo domain opening the URL in the Home URL field of the form. They will be taken to the Google site to enter their credentials, and then will be redirected to Devo.