Skip to main content

Connecting using OpenId Connect

If your authentication provider is compatible with OpenID connect, you can allow your users to authenticate to WorkAdventure using their credentials from your authentication provider. By connecting to an external OpenID provider, WorkAdventure allows users to use their existing login information from that provider to access the WorkAdventure service, making it easier and more convenient for them to log in. This also provides an additional layer of security, as the authentication is handled by your provider, rather than WorkAdventure itself.

BO OpenId connect form

To configure your provider, you will have to fill these 5 input fields:

  • Application name: name of your SSO settings for WorkAdventure, it does not affect the OpenId connection protocol.
  • Application id: ID of your SSO OpenId provider. This information is provided by your provider.
  • Application secret: Secret of your SSO OpenId provider. This information is provided by your provider.
  • OpenId SSO Domain: URL of your provider. Your OpenId SSO provider should have well-know configuration setting defined URL: /.well-known/openid-configuration. For example for the Google OpenId provider, the well-know configuration URL is https://accounts.google.com/.well-known/openid-configuration. So the OpenId domain is https://accounts.google.com
  • Scope: Scope available for your OpenId provider (openid, profile, email...). You should at least put the "openid" scope.

Authentication mandatory

If you switch on this parameter, any visitor coming to your world will be redirected to the login page of your authentication provider.

SSO settings information

  • Our domain is: https://admin.workadventu.re.
  • The redirect URI of your SSO settings will be https://admin.workadventu.re/oauth/<application_id>/callback
  • Our privacy policy: https://workadventu.re/privacy-policy
  • Our term of use: https://workadventu.re/terms-of-use
  • Our cookie policy: https://workadventu.re/cookie-policy
  • Our Sub-processors: https://workadventu.re/subprocessors

Example: Connecting to Google OpenId provider

Create your API Key

Go to Google Cloud Platform : https://console.cloud.google.com/apis/credentials Create an ID client Oauth.

Google OpenId connect form

In the settings form, the WorkAdventure information are:

  • Javascript authorize: https://admin.workadventu.re
  • Redirect url authorize: https://admin.workadventu.re

Google authorize

After this step, your Id and Secret will be generated.

The key generated is listed on your "Client ID Oauth2.0" dashboard.

Google id and secret

The second and last step is on the Oauth consent screen.

If not already specified, set "User Type" to allow access for all selected individuals. After that you can update or create consent page.

Google consent settings

Required fields:

  • Home page: https://admin.workadventu.re
  • Privacy policy: https://workadventu.re/privacy-policy
  • Terms of use: https://workadventu.re/terms-of-use
  • Domain: admin.workadventu.re

There are more details about you.

Google consent settings form

After that, you need to set the scope of your Google SSO provider, as well as set the level of access to the information we can request from your provider for the connected user.

As of this writing, WorkAdventure uses only the email address and the name of the user (you can force the user to use his/her name of OpenID in the world settings).

Google consent settings form

If all information has been validated, the next step should be confirmation.

If you have any questions, feel free to contact us.

Example: Connecting to Microsoft Azure OpenId provider

Create a New Application Registration

In the Azure AD dashboard, select "App registrations" under the "Manage" section. Click on the "+ New registration" button. Fill in the necessary details for your application: Name: Enter a name for your application. Supported account types: Choose whether the application will be used by accounts in your organizational directory only, or by accounts in any Azure AD directory. Redirect URI: This is the URI to which Azure AD will redirect after authentication. For web applications, this is typically the URL where your application is hosted. Click the "Register" button.

Configure Application Settings

After registering the application, you'll be taken to the application's overview page. Here, you can configure various settings: Application ID: This is also known as the Client ID. It's a unique identifier for your application. Directory (tenant) ID: This is the ID of your Azure AD tenant. Authentication settings: Configure how users sign in to your application, including supported account types and platform configurations.

Define API Permissions

If your application needs to access Microsoft Graph API or other APIs, you'll need to define the required permissions: In the application's overview page, click on "API permissions." Click on the "+ Add a permission" button. Select the API you want to access (e.g., Microsoft Graph). Choose the required permissions for your application: Presence Read/Write

Configure Authentication

Under the application's settings, navigate to the "Authentication" section. Configure the authentication method for your application, such as setting up a callback URL for redirect after login.

Obtain Application Secrets (Client Secrets)

In the application's settings, go to the "Certificates & secrets" section. Generate a new client secret (also known as an application secret). This secret is used for authentication between your application and Azure AD.

Test Your Application

With the necessary settings configured, you can now use the provided Application ID (Client ID) and Client Secret to authenticate your application and access resources.

Enable Teams Status Synchronization

You must go on the developer section of WorkAdventure dashboard, your SSO must be already configured like the section hover.

You have just to check the "Microsoft Teams Status Synchronization" to implement the status synchronization on all maps who is on your world.