Unify and manage your data

OAuth 2.0/OIDC authentication flow

Learn more about the authentication flow for OAuth 2.0 compliant SSO.

The authentication flow for OAuth 2.0-compliant SSO with a third-party authorization server and the Reltio Data Cloud includes the following parties:

This diagram illustrates the authentication flow among these parties.

This authentication flow typically includes the following interactions:

  1. A user tries to log in to a Reltio tenant using the Hub.
  2. The Hub receives the request (with tenantId) and redirects the user to the Reltio OAuth2 service.
  3. The Reltio OAuth2 service receives an authorization request and automatically redirects the user to the associated third-party Authorization Server to get an OAuth code. Using the tenantId provided by Hub, Reltio OAuth2 service chooses an IdP and redirects the user to the IdP login page. For example.

    https://auth-srv.customer.com/as/authorize?client_id=customer.reltio&client_secret=1A2b3C&grant_type=code&scope=profile_name,profile_email&redirect_uri=https://auth.reltio.com/callback&state=ABCD

    where:
    • Login endpoint is the URL defined in the IdP configuration (for more information see section OAuth 2.0/OpenID Connect (OIDC) Single Sign On (SSO)).
    • state is an internal identifier of the Authorization Server request to tie the redirect URL to the Reltio OAuth2 service callback page.
  4. The Hub gets a token for the user from Reltio OAuth2 service and sends it in an authorization request to Reltio OAuth2 service. For example.

    https://auth.reltio.com/authorize?grant_type=code&code=<Reltio code>

  5. The Reltio OAuth2 service generates an OAuth token request for the Authorization Server. For example:

    https://auth-srv.customer.com/as/authorize?grant_type=authorization_code&code=<code>

    where:
    • Token endpointi s the URL defined in the IdP configuration.
    • code is the user token received from Authorization Server in the previous step.
  6. The Reltio OAuth2 service sends a validation request with an appropriate authorization header to the IdP to obtain user information For example.

    https://auth-srv.customer.com/as/user

    or

    https://auth-srv.customer.com/as/checkToken

    where User info endpoint is defined in the IdP configuration.

  7. The Reltio OAuth2 service tries to associate the user information from the IdP with a user it holds using Reltio OAuth2-IdP based on an unambiguous identifier such as an email address or user ID:
    • If it can map the user, the Reltio Data Cloud validates the roles/privilege against those defined in IdP.

    • If it can't map the user, the Reltio Data Cloud creates a new user in Reltio OAuth2 with the roles predefined in the IdP configuration.

  8. The Authorization Server returns a response containing the OAuth access_token and refresh_token, which must be within 400 characters of each other.
    Note: For a refresh token request, the Reltio OAuth2 service uses the refresh token directly in the IdP.