SSO authentication

Owned by Julianne Linnea Gløersen
Last updated: Jul 23, 2024
2 min read

An important note for the rest of this document is that the Mediebank does not have its own authentication system. Instead, we leverage your OAuth2 Authorization Server. This means your organization can leverage the following ways of authenticating with the Mediebank:

  • Azure AD (Entra AD),

  • Google Workspaces,

  • Okta,

  • OpenID Connect,

  • Or any other OAuth2 Authorization Server

 

The common denominator for all ways of authentication is that we need to receive the following two values at the very least:

 

  • user_id: A unique user id.

  • email: An email address.

 

With these values the Mediebank is able to identify who each user is, as well as how to contact them.

 

The aforementioned values are the ones that we absolutely require, but in addition to those values we also accept the following:

  • firstname: The user’s first name.

  • lastname: The user’s last name.

  • mobile: The user’s mobile phone number.

  • picture: The user’s profile picture.

  • groups: An array of strings containing all the groups that a user is a member of.

 

Managing access

 

It is your responsibility to make sure that only the people who should have access to the Mediebank, have access to the Mediebank. 

 

Because we do not know the inner workings of your organization’s identity provider, the Mediebank does not automatically delete users, nor does it automatically sync users in any way. 

 

This means that users are only created in the Mediebank on first login. Likewise, users are only deleted when you actively delete them via the Mediebank’s user interface.

 

Multi organization setup

 

Some customers require the ability to have several organizations within the same Mediebank instance. 

 

For a setup like this to work your identity provider must provide us with an array of group names that the authenticating user is a member of. Access to organizations within your Mediebank instance is purely decided by what groups a user belongs to.

 

Naturally you do not want every single group in your identity provider to automatically create a new Mediebank organization. The way to solve this is to make sure the group names in your identity provider that grant access to Mediebank organizations are all in the same machine readable format. An example of a machine readable format is: NTBMB.GroupNameHere.

 

A group with the name NTBMB.GroupNameHere. would automatically create an organization within your Mediebank instance called GroupNameHere. This happens automatically the moment a user with that group logs in to your Mediebank instance.

 

Authentication flow diagram

Legg til en underoverskrift.png