For clients that are looking to use SSO when using Korbyt Go or Inview this article will provide all the information you need for our system to integrate with your authorization utility. For example, we are currently able to integrate with SecureAuth and AuthZero. However we are currently unable to integrate with InTune since it does not follow the Oauth2 standard flow (Outlined Below).
Authorization: This process happens while our system communicates with your authorization utility to gather the needed information to start the authentication process.
Authentication: This process happens after the authorization (flow) has been completed and provided the protected resource information is sent to the cloud (Korbyt) to start the authentication process.
To use SSO in Korbyt there are a few requirements that must be met or the authentication against Korbyt will fail.
Your authorization utility must provide the Discovery Document.
- The Discovery Document provides the route information for Inview or Korbyt Go. The route information is the location of all of the resource servers needed to complete the authorization process.
Once the authorization flow has completed the resource server must return the following information in the protected resource information. First Name, Last Name, Username, Email Address.
- If this information is not returned your Authentication against the Korbyt cloud will fail and result in errors.
Your authorization utility must follow the Oauth2 standard flow (Outlined Below). If it does not our system currently can not integrate with it.
OAuth2 (Standard Flow)
The application in this flow chart is Korbyt Go or Inview. The first step in this flow to start is for Korbyt Go or Inview to recover the discovery document from your authorization client. This will provide the path to all of the locations above. (Resource Owner server) (Authorization Server) (Resource Server). For this example we will say you are using SecureAuth to complete the authorization process.
1. Inview/Korbyt Go –> Authorization Request –> (Resource Owner Server)
- This is the first request to the first server once the discovery document information has been provided. Once this request has been sent the Resource Owner server will reply with the Authorization grant.
2. Inview/Korbyt Go <– Authorization Grant <– (Resource Owner Server)
- This prompts you with the user information form. You will be required to fill out the form so that this information can be passed to the Authorization Server.
3. Inview/Korbyt Go –> Authorization Grant –> (Authorization Server)
- This is when the Authorization grant form (filled out) is then transmitted to the Authorization Server. If the form information is correct you will be provided an access token.
4. Inview/Korbyt Go <– Access Token <– (Authorization Server)
- The access token generated by the Authorization Server server once the form information has been validated.
5. Inview/Korbyt Go –> Access Token –> (Resource Server)
- The resource server verifies the access token provided. Once validated will provide the protected resource information.
6. Inview/Korbyt Go <– Protected Resource <– (Resource Server)
- Once the access token has been validated by the resource server the protected resource will be be sent back to Inview or Korbyt Go. The protected resource must contain the First Name, Last Name, Username, and Email Address. This will start the authentication process against the korbyt cloud.