OAuth 2.0 is an authorization framework for third-party applications. On behalf of a resource owner, third-party applications like Freshworks use OAuth 2.0 to get limited access to an HTTP service. The framework also enables an approval interaction of the resource owner with HTTP service. In addition, OAuth 2.0 supports direct access to the HTTP services by the third-party application.
To learn more about SSO, refer to these articles below.
- SSO Overview
- Implement Single Sign-On for Freshworks
- How is the authentication data securely exchanged between IdP and SP
- Terms and definitions to understand SSO better
- Agent SSO and Contact SSO for an Organization
How OAuth 2.0 works
If you, the user, haven't already signed in, you will be redirected from the application to your authorization URL, requesting an authorization code.
Freshworks receives the requested authorization code from the authorization server.
Freshworks makes a request to your access token URL, exchanging the code obtained for an access token.
Your authorization server will return an access token to Freshworks.
Freshworks then makes a request to your UserInfo URL with the access token obtained.
Your server will then return the user’s information in JSON format
Note: The new Security UI will be enabled by default on 30 Nov 2020. You can try our new features and redesigned UI in advance by clicking on the link present in the banner at the top of the Security section.
Step-by-step process on how to configure SSO with OAuth 2.0 (Old UI)
Log in using your Organization URL and navigate to the Organization Dashboard. Click on the security settings in the sidebar. You can define a default security policy that will be applicable for all users in the organization including admins/agents. You can scroll down to turn on the Single Sign-On option and choose OpenID Connect as the login method.
Note: Organization Admins are the only ones who can configure SSO.
Note: You can access the Organization Dashboard by opening the Freshworks Switcher and clicking on your organization link.
You will be presented with the following fields that you need to fill with the information you get from the IdP side:
Authorization URL (to redirect to the login page of IdP, if not already logged in)
Access token URL (to get the user access token)
Logout URL (optional - user will be redirected to this page on logout)
User info URL (to get the user information based on the access token obtained by invoking the access token URL)
Use the Redirect URL provided by Freshworks in your Identity provider configuration.
Click on the Save button.
Params to be shared
Note: Once all the configurations are correct on both the sides, the userinfo endpoint URL should mandatorily return sub and email claims. Without these claims, it is not possible for Freshdesk to authenticate the user.