Skip to content

Single Sign On (SSO)

Marketplace SSO integration points are created by the partner providing an SSO login URL that has {platform} and {tenant} placeholders.

Platforms will replace these placeholdes with the platform's slug (alli in PMG's case) and a tenant ID (a client UUID in PMG's case) then redirect the user to the partner's SSO login URL.

Beyond that, the partner and platform agree on how to perform the SSO Login dance. That may be OAuth, OpenID, SAML, or some other protocol.

The sso key may be specified in the specification with a login_url property.

{
    "sso": {
        "login_url": "https://example.com/sso/{platform}/{tenant}"
    }
}

SSO with Alli

Note: Alli implements a spec compliant OpenID Connect (OIDC) server. Find the OIDC configuration here: https://login.alliplatform.com/.well-known/openid-configuration

For partners integrating SSO with the Alli Platform, Alli will serve as an identity provider. Partners must redirect the user to Alli's OAuth Authorize endpoint: https://login.alliplatform.com/authorize.

An Alli representative will supply the partner with an OAuth Client ID and secret to use with a server-side authorization code login flow.

Partners will need to use the scopes openid, profile, email, and as_client.{tenant} where {tenant} is replaced with the tenant ID in the SSO URL.

Alli Staging Environments

Partners may be given access to our staging environment to test their implementation before going to prod. Ask your account rep for access.

Find the staging OIDC information at https://login.allistaging.com/.well-known/openid-configuration

Alli SSO Summary

Given a partner app with the following specification:

{
    "sso": {
        "login_url": "https://example.com/sso/{platform}/{tenant}"
    }
}

The login flow for a tenant with the ID a1863bd7-e7ee-4053-a789-03e8b071ac71.

  1. Alli sends the user to https://example.com/sso/alli/a1863bd7-e7ee-4053-a789-03e8b071ac71
  2. The partner then redirects the user to https://login.alliplatform.com/authorize?client_id=PARTNER_CLIENT_ID&redirect_uri=PARTNER_REDIRECT_URI&response_type=code&scope=openid%20profile%20email%20as_client.a1863bd7-e7ee-4053-a789-03e8b071ac71&redirect_uri=https://example.com/sso/alli/a1863bd7-e7ee-4053-a789-03e8b071ac71
  3. Alli prompts the user to login, then redirects the user back to the partners redirect URI.
  4. The partner exchanges the authorization code for an access token via https://login.alliplatform.com/token
  5. The partner can then use the userinfo endpoint to get information about the user, including their email. https://login.alliplatform.com/openid/userinfo

Important Note: when doing this login flow all users of the given tenant will appear as the same user to the partner. A user with the email {tenantSlug}@clients.alliplatform.com.

Alli OAuth Endpoint Quick Reference

Production

  • ODIC Configuration: https://login.alliplatform.com/.well-known/openid-configuration
  • Authorize Endpoint: https://login.alliplatform.com/authorize
  • Token Endpoint: https://login.alliplatform.com/token

Staging

  • ODIC Configuration: https://login.allistaging.com/.well-known/openid-configuration
  • Authorize Endpoint: https://login.allistaging.com/authorize
  • Token Endpoint: https://login.allistaging.com/token