SSO With A Custom OIDC Provider

Overview

Blindata offers integration with your preferred OpenID Connect (OIDC) provider, allowing users to log in using their existing credentials from that provider. This provides flexibility and centralized authentication for on-premise and dedicated deployments.

Info

You can configure a custom OIDC provider for on-premises and dedicated deployments. For assistance with setting up custom providers on a multi-tenant SaaS installation, please contact technical support.

Supported grant flows

Blindata supports two common OIDC grant flows for custom OIDC provider integration:

  • Implicit Flow: This simplified flow directly returns an access token to the browser after successful user authentication. While convenient, it’s generally considered less secure due to the exposure of the access token within the browser’s address bar. (Security Note: Due to security concerns, this flow is being discouraged by modern OIDC implementations.)
  • Authorization Code Flow: This more secure flow involves an intermediate authorization code. The browser receives the code after user authentication, and Blindata exchanges this code with the OIDC provider for an id token on the server-side.

Configuring the subject claim

In Blindata’s custom OIDC provider integration, usernames within Blindata must correspond to a specific identifier provided by the OIDC authorization server. This identifier can be:

  • Subject Identifier: A unique identifier associated with the user within the OIDC provider’s system.
  • UPN (User Principal Name): This typically combines the username with the domain name (e.g., username@domain.com ).
  • Email: The user’s email address associated with their OIDC provider account.

During the OIDC provider integration setup, you’ll need to map a claim from the OIDC provider that contains one of these identifiers (subject identifier, UPN, or email) to a corresponding user field within Blindata.

Contact your sales representative for the technical guides of how to configure your on-premise instance.