You can configure authentication for DSAR web forms via any certified Identity Provider (IdP) that supports the OpenID Connect (OIDC) authorization code grant type. This is useful for clients wanting to provide web forms to specific data subjects who will authenticate themselves using an existing account so their web form is pre-filled with information from the given account.
For more resources on this grant type, see OIDC Authorization Code Flow and OIDC Authorization Code FAQ.
To enable authentication on web forms
Note
The following instructions use Okta as an example IdP. Documentation on other certified IdPs can be available as they are tested by the OneTrust team.
On the menu, select . The Web Form Templates screen appears.
-
Select the View button on your desired web form to open the Web Form Customization screen.
Note
This article uses a published web form as an example. For more information on creating new web forms, see Creating a Web Form.
Go to the Verification tab.
Enable the Enable Authentication on Web Form setting to permit authentication through an IdP.
-
Enable the Allow Access to Web Form without Authentication setting if you want to allow unauthenticated users to access the form.
Note
This will allow users accessing the form to choose whether to log into an existing account or proceed without logging in.
In the Identity Provider Configuration field, select Add New to open the Identity Provider Setup modal.
-
Enter a name for this IdP configuration in the Identity Provider Name.
Note
Keep this modal open. You will return after you have obtained the base URL from the IdP.
Tip
OneTrust recommends that you create unique names for each web form authentication setup if you intend to use the same IdP for multiple configurations.
To create your web application with Okta
-
In a separate window, log into your Okta account and select the Applications tab on the main navigation menu. The Applications screen appears.
-
Click the Add Application button and select Web in the Create New Application screen to set up your web form as a web application. Click the Next button when finished.
-
In the Application Settings block, enter the name you created for your IdP configuration in OneTrust in the Name field.
Note
Keep this page open. You will return to enter the Base URL and Redirect URI.
-
Copy your IdP's base URL and paste it into the Base URL field back on the Identity Provider Setup modal in OneTrust .
-
Click the Validate button to verify the IdP.
-
Once it is validated, OneTrust will generate a Configuration block with instructions on how to use the web form URLs for authentication with the IdP.
Note
Keep this page open. You will return after you have obtained the Client ID and Client Secret from the IdP.
To authenticate web form URLs
-
Click the Copy button next to the Published Web Form URL provided and paste it into Okta's Login redirect URIs field.
-
Copy the base URL from the published web form link and paste it into Okta's Base URI field.
-
Check Authorization Code under .
Click Done to save your changes and finalize the IdP configuration. Your newly created app's page will appear.
-
In the General tab, locate the Client ID and Client Secret fields in the Client Credentials block. Paste these details in the Client ID and Client Secret fields in OneTrust.
Ensure Authorization Code is selected as the grant type.
Scopes are used by IdPs to specify access privileges when issuing an access token. You can specify the scopes that should be requested from the IdP. Optionally, you can map claims from the scope to the corresponding web form field to pre-populate the field with data pulled from the IdP.
Things to Know
Scopes and claims need to be available in the ID token which is fetched through the authorization endpoint. In turn, they must be properly mapped for OneTrust to prefill the web form fields.
OneTrust does not support pre-population of information sent through the user info endpoint.
Scopes are case sensitive.
For OIDC, you must include openid as a scope. The configuration will fail without it.
For nesting attributes, see Nested Claims.
-
When mapping data to a country or state value, the IdP must send data to OneTrust using the ISO 3166 code standard (e.g. California = CA; United States = US).
Note
If mapping to the seeded State field, users must also map to Country as a required field.
-
Match claims according to your IdP's given fields. For more information on Okta's expected payloads and scope-dependent claims, see Okta ID Token Payload.
Note
OneTrust does not currently support Okta's given_name and family_name scopes. Please use the profile scope to collect names.
-
In the Scopes & Claims block, enter the scopes you want to collect from the web form in the Scopes fields.
Enter the claims/attributes you want to map from the IdP to the web form in the Claim / Attribute fields.
-
Match the corresponding web form field to the claim/attribute in the Form Field field.
Click the Save button.
-
Click the Publish button to submit your changes. OIDC setup with user authentication for the DSAR web form is now complete.
Nested Claims
You can map the nested attributes of a single scope. Reference your IdP's given claims or attributes to match corresponding web form fields to collect the nested data.
For the Claims / Attributes, list all of the nested attributes that align with the scope.
Match the nested claims to the corresponding web form field.
Sample Code
profile {
"address" :
{ "street_address": "123 Hollywood Blvd.",
"locality": "Los Angeles",
"region": "CA",
"postal_code": "90210",
"country": "US"
},
}
OIDC Authorization Code Flow
OIDC Authorization Code FAQ
1. | What security controls does OneTrust provide for this flow type to protect the ID token in transit? |
| OneTrust encrypts the connection between web form and IdP using the Transport Layer Security (TLS) 1.2 protocol as a supported solution to securing communications. For more information about the module's security and encryption standards, see Privacy Rights Automation Security Guide. |
2. | Does OneTrust encrypt the ID token while in transit? |
|
Currently, OneTrust does not support encryption of the token in favor of encrypting the whole connection via TLS. OneTrust must be able to parse the claims from an unencrypted ID token in order to support auto-population of web form fields.
You can vote or comment on a product enhancement for JWE support in the Ideas Exchange here.
|
3. | Does OneTrust validate the received ID token and reject any JWT that doesn't validate coming from the customer? |
| Yes, OneTrust will always validate the token signatures. Tokens that fail to validate will display "Failed" status for their verification method. |
4. | For the OIDC Authorization Code flow, will the ID token be passed via URL parameter? |
| No, the token will be sent through a REST request. |
5. | Does OneTrust support custom ports for OIDC? |
| Currently, OneTrust doesn't support custom ports as a configurable setting in the application at this time. Please contact OneTrust to inquire about support for custom ports and IdPs. |
