Hoop implements the Oauth2 protocol + OIDC. The signature of tokens are validated with JWKS or using the userinfo endpoint provided by the identity provider.
Users are active
and assigned to the default
organization when they signup. A user could be set to an inactive
state preventing it from accessing the platform, however it’s recommended to manage the state of users in the identity provider.
sub
claim is used as the main identifier of the user in the platform.email
and name
.When a user authenticates for the first time, it performs an automatic signup that persist the profile claims along with it’s unique identifier.
When organization multi tenant is enabled, the name of the organization is derived from the domain, example: - [email protected], org=google
Administrators need to invite and approve users to start interacting with hoop. This mode is available only for our SaaS instance (https://use.hoop.dev)
Groups allows defining who may access or interact with certain resources.
connection
resources it’s possible to define which groups has access to a specific connection, this is enforced when the access control plugin is enabled.review
resources it’s possible to define which groups are allowed to approve an execution, this is enforced when the review plugin is enabled.This information is derived from the id_token custom claim https://app.hoop.dev/groups
, that allows mapping group attributes. When a user performs a login it syncs the groups contained in this claim if it’s available.
<aside> 💡 For our SaaS instance (https://use.hoop.dev) users needs to manage groups manually in the webapp dashboard
</aside>
admin
group is a special profile that grants full access to all resources.This profile is recommended for administrators that are responsible to configure the platform for end users. All other users are regular, meaning that they can access their own resources and interacting with connections.
Collect this information from your IDP for setting up SSO
ENVIRONMENT | REQUIRED | DESCRIPTION |
---|---|---|
API_URL | yes | API URL address |
IDP_ISSUER | yes | https://openid.net/connect/ issuer name url. Adding the query string _userinfo=1 will force the gateway to validate the access token using the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo |
IDP_CLIENT_ID | yes | https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ |
IDP_CLIENT_SECRET | yes | https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ |
IDP_AUDIENCE | no | Oauth2 audience |
IDP_CUSTOM_SCOPES | Azure only | Comma separated custom Oauth2 scopes |