External provider
A Bracken site can be configured to use one or more external identity providers.
User experience
- The user accesses the login page by navigating to https://<client>.bracken.cloud.
- The configured providers appear as login options. The user would choose to Continue with Provider.
- The user is taken to the external provider login page.
- If the user is already signed in, this step is automatic.
- The user is taken back to the Bracken Portal.
A Bracken user account is created when the user first logs in via the external provider (“autoprovisioned”).
Identity provider
The external identity provider provides authorization and authentication service that conforms to either the OpenID Connect or OAuth2 standards. The service must supply at least first name, last name, and email for the user.
Required information
The partner will need to provide the following information to Bracken to configure the integration:
| OpenID Connect | OAuth2 | |
|---|---|---|
| Client ID | Client ID | Client ID |
| Client secret | Client secret | Client secret |
| Authority | Authorization endpoint | |
| Token endpoint | ||
| User information endpoint | ||
| JWKS key sets endpoint |
Configuration settings
The partner auth service should be configured with these settings:
| Property | Value |
|---|---|
| Grant type | Authorization Code Flow with PKCE |
| Allowed scopes | OpenID, Profile, Email |
| Redirect URI (production) | https://identity.brackenlearning.com/signin-<scheme> |
Redirect URI
The integration in Bracken will be assigned a scheme that will need to be registered as redirect URI in the partner auth service.
As an example, tenant demo may have an oidc scheme, whose redirect URI would be
https://identity.brackenlearning.com/signin-demo-oidc.
For development purposes, we may ask the partner auth service to temporarily add a https://localhost redirect URI. We do not recommend adding this URI to a production.
Claims
The partner auth service should provide the following claims:
| Type | Value |
|---|---|
sub | Unique identifier in the partner service |
given_name | The user’s last or family name |
family_name | The user’s first name |
email | The user’s email, which may receive system notifications |
multicode | Optional claim to join the user to groups in Bracken |
Multicodes
The Bracken administrator interface can be used to generate multicodes. Supplying a (non-standard) multicode claim in the access token allows the partner system to automatically join users to the corresponding Bracken groups.