On Journey by Forj, single sign-on (SSO) can be configured with any platform that deploys an OAuth 2.0 service for End User authentication.  OAuth 2.0 is a standard protocol for user authentication and access control which allows users to enter their credentials in the Identity Provider (IdP) and automatically logged into a configured Service Provider (SP). Once SSO is configured appropriately in a Journey by Forj Community, users are able to link from the Community sign-in page to the Identity Providers login page to authenticate access to the Community.  After successful authentication in the Identity Provider, the session is redirected back to the Community and the user is logged in automatically without re-entering any credentials in the Community.

If the intended Identity Provider supports the OpenID protocols on top of OAuth 2.0, the OpenID Configuration should be leveraged instead to achieve SSO with Journey by Forj as much of the setup is automated. Journey by Forj currently supports the Access Code workflow as described by the OAuth 2.0 specifications. 

Table of Contents

Register an OAuth2 App in the Identity Provider

Setup OAuth2 Authentication in Journey by Forj

Map Profile Fields

Register an OAuth2 App in the Identity Provider

Before the OAuth2 SSO can be configured in Journey by Forj, the app must be created in the selected Identity Provider.  The process for creating an OAuth2 App will vary depending on the Identity Provider.

• Create the OAuth2 app in the Identity Provider.
• Set the available Redirect URI for the APP to the Journey by Forj Community's Callback URL for OAuth2:
  • https://<community url>/users/auth/oauth2/callback
• Copy the Client ID and Secret generated for the OAuth2 App which will be required to establish the connection in the Community.
• Consult the Identity Provider's SSO documentation to determine the necessary endpoints for SSO which will also be required to establish the connection in the Community.

Setup OAuth2 Authentication in Journey by Forj

SSO connections are configured on the Authentication page available from the Community Settings accessible by the designated Account Owner. To view the Community Settings, click the Community menu (people icon in the upper right corner) > Select Community settings > Select Authentication.

• Enable Single Sign-on Toggle.
• Select and Expand the OAuth2 Configuration.
• From the dropdown, Select the Group users should be added to by default upon SSO into the Community.
• Enter the Client ID and Client Secret generated when registering the App in the Identity Provider.
• Select the OAuth2 Client Authentication Method used for Token requests per the SSO Documentation for the Identity Provider.
  • Basic Authentication - Client ID and Secret are included in an Authentication header in the request.
  • Post Body - Client ID and Secret are included in the Body of the request.
• Enter the desired text for the Login Button on the Community Sign in page in the Button Label Text.
• Enter the necessary endpoints to achieve a connection based on the SSO Documentation for the Identity Provider:
  • Authorization Endpoint URL
  • Token Endpoint URL
  • User Info Endpoint URL

Map Profile Fields

On top of authenticating users into Journey by Forj, SSO can pre-fill desired Profile information based on information associated with the User in the connected Identity Provider. After selecting the Group users are added to by default upon SSO, it is possible to Map information available through the designated User Info Endpoint to the Registration Fields that have been configured for the selected group.

Note: Because this wasn't configured from an SSO discovery URL and the available fields in the User Info endpoint can't be predicted, mappings MUST be added for the User ID and Email Address fields to achieve basic SSO.

• Click the Add Mapping button.
• Select the Field to map from the available User Profile Fields.
• Enter the Name of the field coming from the Identity Provider that should fill the selected field.
• Add Mappings until all of the desired fields are mapped.

Note: If there are defined Registration fields that aren't mapped through SSO, users will be presented with the Registration form after SSO on first access to Journey by Forj.

Note: Save changes to commit changes and enable SSO into the Community through the linked Identity Provider.

Note: If unsure of the available fields for mapping from the Identity Provider, reach out to Forj Support for assistance.  The available fields are logged in the background.