Keywords: openid idp initiated
It's possible to configure IDP initiated SSO with Spotfire Server. This means that a user does not need to click a button to sign on with their OpenID provider. (This happens when OpenID is not the primary authentication method)
Instead a user can access a special URL which will call a specified OpenID provider and sign in directly to Spotfire.
To implement this, follow these steps:
1) Start the Spotfire config tool and look at the OpenID configuration.
2) Enable Third Party Login Initiation.
3) Make a note of the Third Party Login Initiation Endpoint.
4) In your OpenID provider configuration add the same URL into the Initiate Login URL field for your spotfire application. This is sometimes called Third Party Initiator Endpoint.
5) To use this URL you must specify as a HTTP parameter the ISS field on your OpenID provider.
For example the Third Party Login Initiation Endpoint will look something like:
https://spotfire.example.com/spotfire/auth/oidc/v1/initiate
You need to append the ISS field (issuer) to this URL as a HTTP parameter, this will let Spotfire know which provider to authenticate with.
https://spotfire.example.com/spotfire/auth/oidc/v1/initiate?iss=http://dev27373.okta.com
If you are not sure what the ISS URL consult your OpenID documentation. If you are really struggling to find your ISS URL then enable claims logging to find it.
If the final URL is then accessed in a browser, the RP (Spotfire Sever) will trigger a login to the chosen OpenID provider and login to Spotfire.
This could be useful for example in creating an app portal with your OpenID Provider.