FintechOS Identity Provider

Starting with release 22.1, the FintechOS Platform uses the FintechOS Identity Provider as the default authentication layer for the FintechOS applications and services. Alternate authentication methods are provided only for backward compatibility.
For more information, see Deprecated Identity Providers.

The FintechOS Identity Provider is an OpenID compliant identity and access management solution based on the Keycloak authentication server. All HPFI components, such as Innovation Studio, FintechOS Portal, or FintechOS API, are represented in the FintechOS Identity Provider as different clients of the same FintechOS realm.

User credentials and roles set up in Innovation Studio are stored by the FintechOS Identity Provider. When creating, updating, or deleting a user account in Innovation Studio, the changes are automatically propagated in the FintechOS Identity Provider.

Identity Brokering

The FintechOS Identity Provider supports identity brokering, allowing users to log in to FintechOS applications and services using any external identity provider that supports the OpenID Connect standard. You can find examples for common external identity providers configurations below:

FintechOS Identity Provider Settings

In the FintechOS Cloud Configuration Manager, set up the following secrets:

Key Path Key Name
kv/<environment>/<application>/app-settings EBSDefaultAuthentication
kv/<environment>/<application>/app-settings core-setting-external-auth-provider-key-url
kv/<environment>/<application>/app-settings core-setting-external-auth-provider-issuer
kv/<environment>/<application>/app-settings openid-client-id
kv/<environment>/<application>/app-settings openid-client-secret
kv/<environment>/<application>/app-settings openid-discovery-endpoint
kv/<environment>/<application>/app-settings openid-callback-url
Key Name Key Description

Specifies the identity provider:

  • FTOSOIDC - FintechOS Identity Provider
  • EBS - Legacy FintechOS Platform authentication (deprecated)

IMPORTANT!  In a non-standard scenario where a regular portal using FintechOS Identity Provider is linked to a B2C portal using legacy authentication, it is recommended to have each portal reside on a separate domain. The requests will pass successfully only if coming from FTOS IDP towards B2C (the other way around, errors may occur).
core-setting-external-auth-provider-key-url Link to the FintechOS Identity Provider public keys used to validate the digital signatures of the access tokens.
core-setting-external-auth-provider-issuer FintechOS Identity Provider instance identifier as provided in the issue field of the authentication token. This value is case sensitive.
openid-client-id Your HPFI component's corresponding Client ID as defined in the FintechOS Identity Provider.
E.g.: admin-portal, myInnovationStudio.
In the FintechOS Identity Provider admin console, you can find the list of Client IDs in the Clients section of your FintechOS realm.
openid-client-secret Your HPFI component's corresponding client secret generated by the FintechOS Identity Provider.
In the FintechOS Identity Provider admin console, you can find the client secret in the Credentials tab of your client's page.
openid-discovery-endpoint FintechOS Identity Provider endpoint.
In the FintechOS Identity Provider admin console, you can find the discovery endpoint address in the Realm Settings section.
openid-callback-url URL where the user agent is redirected after a successful login. The default value is {<Studio/Portal base URL>/Account/LogonCallback. A matching entry must be configured in the FintechOS Identity Provider as a valid redirect URI for the client.

Set up Service Account Roles for the Innovation Studio Client

Innovation Studio clients require full privileges for membership management (CRUD operations with users, password change/reset, etc.). For this purpose, a realm management service account role must be assigned to Innovation Studio clients:

  1. Log in to the FintechOS Identity Provider admin console.
  2. Select your HPFI realm.
  3. Select the Clients blade.
  4. Open the Innovation Studio client.
  5. Go to the Service Account Roles tab.
  6. In the Client Roles drop-down, select realm-management and assign all the available roles.

How users log in the HPFI Portal or Innovation Studio

When accessing the HPFI Portal or Innovation Studio, users who have an active OpenID session are logged in automatically. Otherwise, they are displayed the FintechOS Identity Provider single sign-on login page and will use the OpenID account credentials to log in to the HPFI Portal or Innovation Studio.

HPFI user account automatic synchronization

When a user logs in to HPFI Portal or Innovation Studiousing the FintechOS Identity Provider single sign-on, the following information stored in the corresponding HPFI user account is updated automatically based on the FintechOS Identity Provider account settings:

  • First Name
  • Last Name
  • Email
  • Security roles
  • External user ID (uniquely identifies the user by an external identity provider)