Skip to main content

Search

Journey by Forj Support Center

Setup SSO using OpenID Connect

Joe A.
  • Updated

On Journey by Forj single sign-on (SSO) can configured with any platform that deploys OpenID Connect services for End User authentication. OpenID Connect is a standard authentication protocol that lets users sign in to an identity provider (IdP) (such as Google). After they've successfully signed in to their IdP, they are automatically signed in to the platform.

If experiencing issues saving the OpenID Configuration due to the registered Directory Document, please use the OAuth2 Configuration instead.

 

Table of Contents

Register an OpenID Connect App

Set up SSO in Journey by Forj

 

Register an OpenID Connect App

Before you can configure SSO to your Journey by Forj account, you must register it with your service provider. The process varies depending on the service provider.

  • Register your app on your service provider’s website.
  • Modify the app settings and set the app domain (or Home Page URL) to Mobilize, for example http://my_community.mobilize.io/users/auth/openidconnect/callback
  • From the provider’s documentation, get the client ID, client secret and the directory document URL

Note: These domains must be linked to your community's current domain.  If your domain updates or if you are using a custom domain- the new domain must be reflected here.

Set up SSO in Journey by Forj

In the Community Settings page you can find the authentication tab, this is where you set up the SSO to the account. To view your community settings, click the Community menu (people icon in the upper right corner) > Select Community settings > Select Authentication.

  • Enter the Directory Document URL (omit ".well-known/openid-configuration"), which contains details about the OpenID Connect provider's configuration. 
  • Use the Client ID from your provider for the Forj Community App ID field.
  • Use the Client Secret from your provider for the Forj Community App Secret field.
  • Select the OIDC Client Authentication Method described in the selected IdP SSO Documentation:
    • Basic authentication - Client ID and Secret are included in an Authorization header.
    • Post body - Client ID and Secret are included in the request body.
  • Enter the Button text that will be visible to your members that tries to login to the Journey by Forj Community.

Note: Save changes to commit changes and enable SSO into the Community through the linked Identity Provider.

Want to test your SSO?  Enter the full Directory Document into Chrome's address bar, you will get a JSON, check this against Google's.  Once your Directory Document looks like Google's, it should work.  

If you run into any errors, first check your community's SSL certification and make sure it is valid and up to date.


What to expect after SSO is enabled
From now on, all members can authenticate by SSO login and Journey by Forj will use this login to identify the user. The member will not have to re-login to the platform if they are already logged in to your organization SSO.

 

Map Profile Fields

On top of authenticating users into Journey by Forj, SSO can pre-fill desired Profile information based on information associated with the User in the connected Identity Provider. After selecting the Group users are added to by default upon SSO, it is possible to Map information available through the designated User Info Endpoint to the Registration Fields that have been configured for the selected group.

  • Click the Add Mapping button.
  • Select the Field to map from the available User Profile Fields.
  • Enter the Name of the field coming from the Identity Provider that should fill the selected field.
  • Add Mappings until all of the desired fields are mapped.