The IN.gov Program is tasked with implementing a single sign-on authentication mechanism and Identity Provider for online applications for the State of Indiana, referred to as Access Indiana. The benefits of a standard authentication solution include, but are not limited to:
- Single Credential and Sign-on Capabilities
- Self-Service Password Reset
- Secondary Recovery Email
- Two-Step Verification
- System Notifications
- Development Efficiencies
- Greater Access Control Security
- Active Directory Federation (B2B)
- Customer Access Panel (Dashboard)
- Improved Customer Experience
- Customer Confidence in Brand
- User Insights
The following resources are intended to provide Indiana agencies with the initial tools and information they need to integrate with Access Indiana.
Integration Strategy
The preferred integration strategy is the removal of the current/legacy authentication mechanism from the agency application. The sign-up/sign-in functionality would then leverage Access Indiana. In the event that a user has a legacy login to the agency application, the user would then connect the new authentication (Access Indiana) profile with their legacy login by validating their legacy credentials in a process we refer to as account linking.
Benefits of this approach include:
- Simplifies landing page with a unified message to sign-in via Access Indiana
- Curbs prolonged confusion of having multiple login paths and credentials
- Successful authentication leads into new user registration on first visit
- Basic profile information can be returned from Access Indiana to seed the application registration
- Prompt for legacy login if the agency/user can determine it is an existing user to link the accounts
- Successful legacy login links existing account to Access Indiana identity
- Application flow for new user registration is almost the same, simplifying tier 1 support and training needs
Integration Process & Request Form
We are prescribing OpenID Connect hybrid flow for agency implementations. This requires both front channel and back channel communications and is based on the assumption that the agency is utilizing cookies for authentication (If you are not, please note this, so that we can have a further conversation on your individual implementation). Access Indiana must establish individual client IDs and secrets for each application environment that your application will utilize. We would also need to include a localhost route for the development team (example: http://localhost:port) if your agency utilizes localhost. Keep in mind, that the agency application should be developed in a manner to receive sign-in and sign-out calls from the agency application, as well as Access Indiana. This will require distinct URLs/pages from your application to be included in your client setup.
Once the clients are established, the developer can visit the Access Indiana well-known end point for specific OpenID configuration information on the paths and available claims for Access Indiana.
The following details will be needed per environment to setup your application in Access Indiana.
- Application developers provide configuration information for each application environment (Dev, QA, UAT, etc.):
- Name of application (This will be visible to the user)
- Valid reply URLs for the application
- Application URL
- Redirect path for Agency Initiated Authorization
- Redirect path for Authentication (Access Indiana) Initiated Authorization
- Redirect path for Agency Initiated App sign-out
- Redirect path for Authentication (Access Indiana) Initiated sign-out
- It is possible if your application is outside of the state network there may additional firewall information to be exchanged (please let us know)
- Access Indiana team defines the application within the Access Indiana platform
- Provide agency developers with Client ID and Client Secret, via encrypted email for each environment that is being setup
- Client Secret is unrecoverable if lost and would have to be changed and resent
- Provide agency developers with Client ID and Client Secret, via encrypted email for each environment that is being setup
- Successful Access Indiana authentications allows the agency to redeem bearer tokens for user claims and scopes as defined in the well-known end point.
To register your client application with Access Indiana, please submit the above criteria on the following online form.
OpenID Connect Resources
It will be critical for the implementing development team to become familiar with the OpenID Connect specification. The following links are a subset of the specifications to assist in understanding specific areas of consideration. The resources will provide initial guidance and code-snippets to assist in the development of the integration. Please keep in mind that these are third-party resources not endorsed by the State of Indiana. The resources should be used as a reference only. The agency is still responsible for implementing all required controls and/or legal obligations on both the state and federal level.
Also, keep in mind that the steps related to the authentication (Access Indiana) platform in these references (e.g. register your client application with Access Indiana) will be managed by IOT and Tyler Technologies.
- Overview
- Terminology(Glossary of OpenID Terms)
- Authentication (Access Indiana) well-known
- Certified OpenID Connect Implementations (Relying Party)
- Hybrid Authentication
- Hybrid Authentication Error Response
- Token Error Response
- User Info Error Response
- Agency Initiated App sign-out
- Authentication (Access Indiana) Initiated sign-out
Other Resources
The following are some links to some additional resources that have proven helpful for agencies:
- JSON Web Token Decoder
- Article on verifying access tokens
- Example walk-through of web-client (reference when a certified library is not available for your coding implementation)
- Authentication (Access Indiana) User Process Flows
- Authentication (Access Indiana) / Salesforce OpenID Connect Setup Solution Documentation
- Authentication (Access Indiana) / Microsoft Dynamics OpenID Connect Setup Solution Documentation