FISCAL Technologies

OpenID Connect

Updated

OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 framework. FISCAL can integrate with any identity provider that supports the OpenID Connect protocol.

Register a client application for FISCAL with your OpenID Connect provider

To allow users to sign into FISCAL with an OIDC provider you must first register a client application with your provider. The process for doing this varies depending on the OIDC provider, so you should refer to your providers documentation for more information.

When registering your client application you will need to:

  • Add "https://login.fiscaltec.com/login/callback" as a permitted callback URL. 
  • Make note of the client ID of the client application (this will be needed in future steps). 
  • Generate a client secret if you are using Back Channel communication (response_type=code).

Configure OpenID Connect in FISCAL

  1. Log into FISCAL and navigate to the Authentication settings page within Customer Settings > Organisation Settings.

  2. Enter the Client ID of the client application registered in your identity provider.
  3. Enter the URL to the well-known OpenID Connect discovery endpoint for your OpenID Connect provider, usually available at the /.well-known/openid-configuration endpoint. 
    • Refer to your OIDC providers documentation for more information.
  4. Choose between Front Channel (response_mode=form_post and response_type=id_token) or Back Channel (response_type=code) communication. 
    • When selecting Back Channel enter the client secret generated when registering the client application.
  5. Click the Save button.

Logging in using OpenID Connect

Once the OIDC settings have been saved the option to log in using your identity provider will show as a button "Continue with mycustomer" on the login page (where mycustomer is the name of your FISCAL site).

Once you have tested the SSO integration, email and password login can be disabled on the Single Sign On Management Settings page to ensure that users must use SSO to access FISCAL.

 

 

FAQs

Q. What OIDC Flow is used? 

A. FISCAL can be configured to use either implicit flow (response_type=id_token) by selecting Front Channel communication, or authorization code flow (response_type=code) by choosing Back Channel communication.

Q. What Scopes are requested?

A. The openid, profile, and email scopes are requested.

Q. What Claims are required?

A. FISCAL requires the sub, email and name claims to be populated.

Troubleshooting

The email address is not in the allowed domains for this connection.

This happens if the logging in has an email domain (e.g. @example.com) which is not in the list of permitted domains for your customer. Contact customer support or your CSM to authorize additional email domains.