External provider
A Bracken site can be configured to use one or more external identity providers.
User experiencePermalink
- The user accesses the login page by navigating to https://<client>.bracken.cloud.
- The configured providers appear as login options. The user would choose to Continue with Provider.
- The user is taken to the external provider login page.
- If the user is already signed in, this step is automatic.
- The user is taken back to the Bracken Portal.
A Bracken user account is created when the user first logs in via the external provider (“autoprovisioned”).
Identity providerPermalink
The external identity provider provides authorization and authentication service that conforms to either the OpenID Connect or OAuth2 standards. The service must supply at least first name, last name, and email for the user.
Required informationPermalink
The partner will need to provide the following information to Bracken to configure the integration:
| OpenID Connect | OAuth2 | |
|---|---|---|
| Client ID | Client ID | Client ID |
| Client secret | Client secret | Client secret |
| Authority | Authorization endpoint | |
| Token endpoint | ||
| User information endpoint | ||
| JWKS key sets endpoint |
Configuration settingsPermalink
The partner auth service should be configured with these settings:
| Property | Value |
|---|---|
| Grant type | Authorization Code Flow with PKCE |
| Allowed scopes | OpenID, Profile, Email |
| Redirect URI (production) | https://identity.brackenlearning.com/signin-<scheme> |
Redirect URIPermalink
The integration in Bracken will be assigned a scheme that will need to be registered as redirect URI in the partner auth service.
As an example, tenant demo may have an oidc scheme, whose redirect URI would be
https://identity.brackenlearning.com/signin-demo-oidc.
For development purposes, we may ask the partner auth service to temporarily add a https://localhost redirect URI. We do not recommend adding this URI to a production.
ClaimsPermalink
The partner auth service should provide the following claims:
| Type | Value |
|---|---|
sub | Unique identifier in the partner service |
given_name | The user’s last or family name |
family_name | The user’s first name |
email | The user’s email, which may receive system notifications |
multicode | Optional claim to join the user to groups in Bracken |
MulticodesPermalink
The Bracken administrator interface can be used to generate multicodes. Supplying a (non-standard) multicode claim in the access token allows the partner system to automatically join users to the corresponding Bracken groups.