Skip to content

IDP

Synkzone user accounts can be connected to an external identity provider with two options: via Generic OIDC or Swedish BankID.

Generic OIDC

Create and allow use of a Generic OIDC IDP type that will use just an issuer URL and a client identifier from organization setting to automatically configure an IDP sign on option.
This is implemented using IDPType=GenericOIDC with implementing IDP class GenericOIDC. The implementation is based on OIDC 1.0 with support for OAuth 2.1.

Synkzone configuration

To configure the use of Generic OIDC for an organization, the following Synkzone Organization properties needs to be configured:

IDPType=GenericOIDC
IDPName=<[IDP name to display for users]>
IDPIssuerURL=<URL for the IDP as OIDC issuer>
IDPClientId=<IDP OIDC/OAuth client identifier for the organization>
IDPUserIdClaim=<name of id token/JWT claim that contains the IDP user id that we use as external user name>
OAuthClientSecret.path=<path to file containing client secret, only use if Standard Delivery>
OAuthClientSecret=<sealed secret, only use if Enterprise Delivery>

The IDPName is optional. If not specified it will default to the host name from the IDPIssuerURL.

The IDPIssuerURL must be exactly the same as specified by the IDP.

The IDPClientId must be registered with the IDP along with organization's OIDC redirect URLs which are <Customer's Synkzone Web URL>/auth and https://synkzone.com/auth.

IDPUserIdClaim is optional and defaults to "sub". For some IDPs such as AzureAD, we use "oid" here instead.

When deploying on an VPS, OAuhtClientSecret.path is preferrably placed in /config/oauth-client-secret.
If deploying Synkzone using Enterprise Delivery, i.e. running in cluster, this parameter should not be used.

When deploying in cluster, OAuthClientSecret should be the reference to the sealed secret.
See instructions on secrets in cluster for more information.

IDP provider configuration

If the IDP at the specified IDPIssuerURL is OIDC capable and responds to configuration requests at <issuerURL>/.well-known/openid-configuration, all IDP configuration will be completed automatically.

If no well-known configuration exists, the IDP may still work with standard default settings.

The IDP must register <Customer's Synkzone Web URL>/auth and https://synkzone.com/auth as redirect URLs.

BankID

Synkzone provides built-in support for Swedish BankID as identity provider, implemented through GrandID API from Svensk e-identitet.
To use the implementation, keys need to be provided from Svensk e-identitet.

Synkzone configuration

The configuration of BankID is done by setting these properties:

GrandIdAPI=https://client.grandid.com/json1.1
GrandIdAPIKey=<secret key issued by Svensk E-identitet to Synkzone or the organization>
GrandIdBankIdKey=<secret key issued by GrandId to Synkzone or the organization>
PersonalIdentificationTypes=SWEDISH_MOBILE_BANK_ID