Salesforce

Configuring OIDC Implicit Grant Type Authentication for Web Forms

Printable View
« Go Back
Information
Configuring OIDC Implicit Grant Type Authentication for Web Forms
UUID-b86e4d63-8dc6-b8d7-1d3f-8b48711b3978
Article Content

You can configure authentication for DSAR web forms via any certified Identity Provider (IdP) that supports the OpenID Connect (OIDC) implicit grant type. This is useful if you want to provide web forms to specific data subjects who will authenticate using an existing account so their web form is pre-filled with information pulled from their IdP account.

Note

The following instructions use Okta as an example IdP. Documentation on other certified IdPs will be available as they are tested by the OneTrust team.

To enable authentication on web forms

  1. On the Privacy Rights Automation menu, select Setup > Web Forms. The Web Form Templates screen appears.

  2. Select the View button on your desired web form to open the Web Form Customization screen.

    Note

    This article uses a published web form as an example. For more information on creating new web forms, see Creating a Web Form.

  3. Go to the Verification tab.

  4. Enable the Enable Authentication on Web Form setting to permit authentication through an IdP.

  5. Enable the Allow Access to Web Form without Authentication setting if you want to allow unauthenticated users to access the form.

    Note

    This will allow users accessing the form to choose whether to log into an existing account or proceed without logging in.

  6. In the Identity Provider Configuration field, select Add New to open the Identity Provider Setup modal.

  7. Enter a name for this IdP configuration in the Identity Provider Name.

    Note

    Keep this modal open. You will return after you have obtained the base URL from the IdP.

    Tip

    OneTrust recommends that you create unique names for each web form authentication setup if you intend to use the same IdP for multiple configurations.

    idp-setup2.png

To create your single-page application with Okta

  1. In a separate window, log into your Okta account and select the Applications tab on the main navigation menu. The Applications screen appears.

    okta_add-application.png

  2. Click the Add Application button and select Single-Page App in the Create New Application screen to set up your web form as a single-page application. Click the Next button when finished.

    okta_create-new-application.png

  3. In the Application Settings block, enter the name you created for your IdP configuration in OneTrust in the Name field.

    Note

    Keep this page open. You will return to enter the Base URL and Redirect URI.

    okta-oidc-name.png

  4. Copy your IdP's base URL and paste it into the Base URL field back on the Identity Provider Setup modal in OneTrust .

    okta_baseURL.png

  5. Click the Validate button to verify the IdP.

    idp-setup1.png

  6. Once it is validated, OneTrust will generate a Configuration block with instructions on how to use the web form URLs for authentication with the IdP.

    Note

    Keep this page open. You will return after you have obtained the Client ID from the IdP.

    idp-config-urls-implicit.png

To authenticate web form URLs

  1. Click the Copy button next to the Published Web Form URL provided and paste it into Okta's Login redirect URIs field.

    published-url-implicit.png
    login-redirect-uri.png

  2. Copy the base URL from the published web form link and paste it into Okta's Base URI field.

    staging-base-url.png
    base-uri.png

  3. Check Implicit under Grant Type Allowed.

    oidc-grant-type.png

  4. Click Done to save your changes and finalize the IdP configuration. Your newly created app's page will appear.

  5. In the General tab, locate the Client ID field in the Client Credentials block. Copy the information in the field and paste it in the Client ID field in OneTrust.

    client-credentials.png
    implicit-grant-type-selection.png

  6. Ensure Implicit is selected as the grant type.

To map scopes and claims

Scopes are used by IdPs to specify access privileges when issuing an access token. You can specify the scopes that should be requested from the IdP. Optionally, you can map claims from the scope to the corresponding web form field to pre-populate the field with data pulled from the IdP.

Warning

If the client-side configuration for OIDC lacks values, those fields will remain empty in the web form after a successful OIDC submission. Ensure all required values are properly configured to prevent missing or incomplete data in the form.

Things to Know

  • Scopes and claims need to be available in the ID token which is fetched through the authorization endpoint. In turn, they must be properly mapped for OneTrust to prefill the web form fields.

  • OneTrust does not support pre-population of information sent through the user info endpoint.

  • Scopes are case sensitive.

  • For OIDC, you must include openid as a scope. The configuration will fail without it.

  • For nesting attributes, see Nested Claims.

  • When mapping data to a country or state value, the IdP must send data to OneTrust using the ISO 3166 code standard (e.g. California = CA; United States = US).

    Note

    If mapping to the seeded State field, users must also map to Country as a required field.

  • Match claims according to your IdP's given fields. For more information on Okta's expected payloads and scope-dependent claims, see Okta ID Token Payload.

  1. In the Scopes & Claims block, enter the scopes you want to collect from the web form in the Scopes fields.

    scopes-claims1.png

  2. Enter the claims/attributes you want to map from the IdP to the web form in the Claim / Attribute fields.

  3. Match the corresponding web form field to the claim / attribute in the Form Field field.

    scopes-claims.png

  4. Click the Save button.

  5. Click the Publish button to submit your changes. OIDC setup with user authentication for the DSAR web form is now complete.

    okta_published-web-form.png

Nested Claims

You can map the nested attributes of a single scope. Reference your IdP's given claims or attributes to match corresponding web form fields to collect the nested data.

  1. In the Claims/Attributes block, list all of the nested attributes that align with the scope.

  2. Match the nested claims to the corresponding web form field.

nested-attributes.png

Sample Code

profile {
"address" : 
           { "street_address": "123 Hollywood Blvd.",
             "locality": "Los Angeles",
             "region": "CA",
             "postal_code": "90210",
             "country": "US"
           },
        }

To test the published web form

  1. Click the Test button to access the web form. You will be presented with the option of signing in or proceeding as a guest user.

    okta_test-url.png

  2. If you are already signed in as an authenticated user in your browsing session, the web form will automatically populate the names and email fields from your IdP account. These field will be grayed out and cannot be modified.

    New, unauthenticated users will be redirected to the IdP's login screen and be asked to provide their credentials to access the web form.

    If you sign in as a guest user, the web form won't be pre-filled or have been authenticated. Additionally, your ID will have to be verified through an alternative ID verification process (e.g., document upload, email validation, etc.) in order to submit the web form.

    prefill-form.png
    okta_blank-sign-in.png

  3. Once users submit a pre-filled web form, checkmarks will appear next to the fields that were mapped from the Idp to the web form.

    checkmarks-oidc-mapping.png
 
Article Visibility
9,741
Translation
English
Checked
Powered by