The interworks.cloud platform can be integrated with external authentication services, providing registration/login capabilities for BSS users who become authenticated through a service or external Identity Providers(IdPs). Such services can be used to identify users maintained in external user stores and map them to BSS/Storefront users providing access to the interworks.cloud platform when logged in (authenticated) from these external sources.

Understanding the External Authentication

To have a better understanding of the external authentication process, please check the three following definitions, as well as the "External Authentication Example" that follows.

• External authentication is the use of third-party authentication sources, such as identity providers, to decide whether a user should be allowed access to a system, as well as what level of access an authenticated user enjoys on a system. 
  
  
• Identity provider (IdP or IDP) is a system entity that creates, maintains, and manages identity information while providing authentication services to relying applications within distributed networks. Identity providers offer user authentication as a service and the relying party applications, such as web applications, outsource the user authentication step to them. An identity provider is also considered a trusted provider that lets you use single sign-on (SSO) to access other websites and in general, it can facilitate connections between cloud computing resources and users, thus decreasing the need for users to re-authenticate.
  
  
• Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. SSO enhances usability by reducing password fatigue. It also provides better security by decreasing the potential "attack surface". SSO can be used by enterprises, smaller organizations, and individuals to ease the management of various usernames and passwords.
  

External Authentication Example

When a user requests to log-in to a web application (BSS) he has the choice of logging into our BSS with an external authentication service. When the preferred external authentication service is chosen, the user is being redirected to the login page of the authentication service to enter his corresponding credentials. Upon successful authentication, the external service redirects the user back to the original web application along with some necessary information about the user. As a result, the web application utilizes those information to verify the successful authentication of the user by the external authentication service and at the same time gather more information to associate him to a BSS/Storefront user, if he is already registered on BSS/Storefront, or prompt him to register an account with the acquired information from the external authentication service.

Enterprise Identity Providers

The Enterprise IdPs are utilized in recent years by (B2B) organizations and offer the best security possible. Since they are more oriented towards providing authentication services to organizations, they have become the preferred choice by many enterprises when it comes to managing and keeping secure corporate usernames and passwords.

External Authentication Administration

The process of external authentication mandates that both involved systems(external IdP and our BSS) must be manually configured to communicate with each other over a "trust-link", since this "trust-link" relation is not automatically created. Therefore, you can begin configuring and enabling the external authentication features for BSS, by following the guide below:

Go to: BSS Setup > Administration > System Options

Click on the "BSS Login Settings" link, located under the User Authentication section of the page.

By clicking on “BSS Login Settings” you land on the following page.

Here you can perform the following actions:

• You can setup your BSS Login Page alias: This alias is essentially the part of the "Client ID" section found on top of the local login credentials of BSS. Therefore, this alias will be used to create the URL for the BSS login page when an external authentication provider is available. The alias URL will redirect to a login page where the Client ID section will no longer be visible (in the form of: "https://<Original BSS url>/<alias>/Login.aspx") and both the local login option and the external authentication sections with the available IdP’s Instance name will be displayed.

• You can choose which Identity Provider you wish to setup and enable from the list of Enterprise IdPs that appears.

For configuring and enabling any of the following Enterprise Identity Providers please continue to the corresponding guide from the bullet list that follows:

• auth0 guide → auth0 (OIDC) for BSS
• Azure AD guide →  Azure AD (OIDC) for BSS
• Azure AD B2C guide → Azure AD B2C (OIDC) for BSS
• Token-Based SSO guide → Token-Based SSO for BSS
• Okta guide → Okta (OIDC) for BSS
  
  

External Authentication on BSS

After enabling your preferred identity provider,  you will be able to use it as an alternative means to log in to BSS.

You can choose your identity provider from the list named "External Authentication" and by doing so, you are being redirected to the login page of the external authentication service to enter your personal credentials per the chosen IdP, instead of your local BSS credentials.

The two following images are examples of how the External Authentication list looks like on the BSS's login/sign-in page.

Monitoring the Enabled Login Options of your BSS Users

A new column named "Login Options" is added to the Users List in BSS Setup > Administration > Users, which contains the Login Options that each user has activated.

Managing Local & External Login Accounts via BSS

You can manage your active External Authentication Provider accounts as well as your active Local Login account by following the guidelines of the Managing External & Internal Login Accounts in BSS page.