Opinsys Authentication

To implement Opinsys Authentication to an external service, you must receive a shared secret from Opinsys support at tuki @ opinsys.fi. To receive it, you must provide us the following information:

Once the shared sercret is in place, the external service may redirect the user's web browser to https://api.opinsys.fi/v3/sso with a return_to query string key which determines where the user will be redirected back. The hostname of the return_to URL must match the FQDN provided to us.

Example redirect URL might be:

https://api.opinsys.fi/v3/sso?return_to=http%3A%2F%2Fexample.com

When a user is authenticated he/she will be redirected to the URL specified in the return_to query string key. The URL is augmented with a jwt query string key which will contain a JSON Web Token. The external service is expected to decode this token, validate it with the given shared secret and make sure that it is not issued too long a ago or in the future. The token will contain following claims:

In addition to those above, there are some "extra" fields that can be used, but you should NOT rely on their presence (they might not always exist). They are:

Service activation

By default external services are not activated for all Opinsys organisations. Each organisation or individual schools must activate the external services on their behalf. They can do this directly from their management interface.

Organisation presetting

If the external service knows in advance from which organisation the user is coming from it can make the login a bit easier by specifying an additional query string key organisation to the redirect URL:

https://api.opinsys.fi/v3/sso?organisation=kehitys.opinsys.fi&return_to=http%3A%2F%2Fexample.com

Then users don't have to manually type their organisation during login.

Kerberos

When the user is coming from a Opinsys -managed desktop, Kerberos will be used for the authentication. The user will not even see the Opinsys login form in this case. He/she will be directly redirected back to return_to URL with a jwt key. The organisation presetting is ignored when Kerberos is active because the organisation will be read from the Kerberos ticket. This is enabled by default for all external services using Opinsys Authentication.

Custom fields

If you need to relay some custom fields through the Authentication service you can just add them to the return_to URL. Just remember to escape the value.

Example:

https://api.opinsys.fi/v3/sso?return_to=https%3A//example.com/path%3Fcustom_field%3Dbar

Redirects user to:

https://example.com/path?custom_field=bar&jwt=<the jwt token>

Implementation help

Feel free to contact us at dev @ opinsys.fi or open up an issue on Github if you have any trouble implementing this. If you think this documentation could be improved, contact us.