General
For the login in the Self-Service Portal, CRM-service provides third-party authentication via OpenID Connect. OpenID Connect is a modern authentication protocol that allows users to securely log in to various services using third-party authentication solutions. Different providers offer different types of logins from email-password combination to BankID.
The deployment of third-party authentication services requires the user to be familiar with the configuration settings of the third-party authentication solution they are using. The CRM-service also provides its own configuration for the Telia authentication service, which also allows authentication with Swedish BankID. If you are interested in this service or need help configuring a third-party authentication solution, please contact CRM-service’s customer service.
Start
Configuring third-party login services is done from the Self-Service Portal settings under Third-party authentication. If no third-party login services are configured, only the New button will be visible. Each login service has its own box inside the settings, where the name, status and settings of the login service are managed (see image below). If you want to disable a login service instead of removing it completely, you can do this by clicking on the Delete button.
Settings
The settings define the configuration for the third-party login service, and which information field of the contact the login is associated with. The third-party configurations where some of the required information can be found are by default available online and can often be found at the following address: {your provider url here}/.well-known/openid-configuration. In the configuration, the following fields are filled in:
Strategy – Select the OpenID Connect strategy to use. This defines how connections and logins are managed. Depending on the use case and security requirements, the lowest level of connection is established via the provider’s authentication site and the highest level uses private encrypted keys (JWT Encrypted).
CRM UID field – A field in the Contacts module that is used to retrieve the logged-in user by comparing the contents of this field with the corresponding field in the login service. The UID field is intended for a Unique Identifier, i.e. the selected field must contain information that is not repeated across contacts. Typical UID fields include email and social security number.
Provider UID field – a field whose information is compared to the CRM UID field to identify the contact. The information available is often listed in third party configurations under claims_supported.
PKCE – PKCE or Proof Key for Code Exchange is an additional security mechanism to protect logins against code attacks.
Discovery – Discovery is a setting supported by multiple different services that allows some configurations to be automatically retrieved and not manually filled in the configuration.
Issuer – The issuer URL listed in the configuration of a third-party service provider.
Scope – Information to which the authenticator has access. The supported information can be found in the third-party configuration (scopes_supported).
Identifier – This is the client identifier assigned to your application by your third-party service provider.
Secret – The password that your third-party service provider has provided to your application.
Host – URL of the third-party service without the https:// part (not filled in if Discovery is enabled).
Authorization Endpoint – This can be found in the configuration of your third-party provider under authorization_endpoint (not filled in if Discovery is enabled). This setting is responsible for authenticating users.
Token Endpoint – this can be found in the third-party provider’s configuration under token_endpoint (not filled in if Discovery is enabled). This setting is used to create an access token for the service after the user has successfully logged into the third-party service.
User info endpoint – this can be found in the third-party provider’s configuration under userinfo_endpoint (not filled in if Discovery is enabled). This is used to retrieve additional information about the user based on their access credentials.
jwks_uri – this can be found in the third-party provider’s configuration under jwks_uri (not filled in Discovery is enabled). This is where the provider’s public keys are obtained.
redirect_uri – this field is automatically filled in by the system, but you will need to register the address here with the third-party provider according to the provider’s own instructions in order to redirect the user to the correct location after login.
Note! When changes are made to the Strategy field, the redirect_uri will change according to the settings provided.
When the settings are complete, first press OK to close the settings window and then Save to save the settings you have entered to the portal. Simply pressing OK will not save the settings!
Handling Social Security Numbers
Some providers might send information in a format that is not suitable for other uses for that information. For example, Telia BankID returns social security number in the format SE/FI/YYYYMMDDXXXX which does not correspond with normal formatting of the social security number. However, we can configure specific cf_telia field to be used as CRM UID field, take the value from the social security number field (or other field where social security number is located in the system) and use the following formula:
{if $social_security_number}{assign var=soseno value=$social_security_number|regex_replace:”/[^a-zA-Z0-9]/”:””}FI/SE{$soseno}{else}{$cf_telia}{/if}
Value var can be any custom name you invent for the variable; in the example we used shortened version from social security number (soseno).
Note: For automated data treatment purposes, the date format of the social security number in the system must be in the YYYYMMDD format instead of YYMMDD.