OAuth 2.0 is an authorization framework for third-party applications. On behalf of a resource owner, third-party applications like Freshworks use OAuth 2.0 to get limited access to an HTTP service. The framework also enables an approval interaction of the resource owner with the HTTP service. In addition, OAuth 2.0 supports direct access to the HTTP services by the third-party application.
To learn more about SSO, refer to these articles below.
- SSO Overview
- Implement Single Sign-On for Freshworks
- How is the authentication data securely exchanged between IdP and SP
- Terms and definitions to understand SSO better
- Agent SSO and Contact SSO for an Organization
How OAuth 2.0 works
If you, the user, haven't already signed in, you will be redirected from the application to your authorization URL, requesting an authorization code.
Freshworks receives the requested authorization code from the authorization server.
Freshworks makes a request to your access token URL, exchanging the code obtained for an access token.
Your authorization server will return an access token to Freshworks.
Freshworks then makes a request to your UserInfo URL with the access token obtained.
Your server will then return the user’s information in JSON format
Step-by-step process on how to configure SSO with OAuth 2.0
- Log in using your organization URL. Click on the 'Security' icon in the sidebar.
- Under Security> Agents & Employees > Default Login Methods, you can enable SSO to simplify your users' login experience. Default login methods are applicable for all users in the organization, including admins/agents. If you want to create specific policies for a particular account or portal, configure it under Custom Policies. For contacts, configure any security policies under Security > Contacts.
- Choose OAuth 2.0 as your login protocol and the IdP of your choice.
Note: Organization Admins are the only ones who can configure SSO.
Note: You can access the Neo Admin Center by opening the Freshworks Switcher and clicking on your organization domain link. - Use the Redirect URL provided by Freshworks in your Identity provider configuration.
- You will be presented with the following fields that you need to fill with the information you get from the IdP side:
Client Id
Client secret
Authorization URL (to redirect to the login page of IdP, if not already logged in)
Access token URL (to get the user access token)
Logout URL (optional - user will be redirected to this page on logout)
User info URL (to get the user information based on the access token obtained by invoking the access token URL)
Params to be shared
Note:
1. Once all the configurations are correct on both the sides, the user info endpoint URL should mandatorily return sub and email claims. Without these claims, it is not possible for to authenticate the user.
2. Call from Freshworks to the token endpoint has a timeout of 10 seconds.
If you need further assistance, please feel free to write to [email protected] with your queries. We're more than happy to help.