Summary of the SSO Flow

Users and applications can both use SSO to access Autoform DM. However, the SSO flow for a user differs from the flow that an application follows.

User Access to Autoform DM

User access to Autoform DM is achieved through standard SSO protocols including Open ID Connect (OIDC). These flows involve Keycloak as an identity broker and involve an IdP to manage authorization and user identities.

When the IdP returns information about a user to Keycloak, a Keycloak account is created for that user. The user’s IdP groups and roles can be mapped to Keycloak groups and roles, which result in the user gaining the appropriate roles and access in the Autoform DM application.  

The following diagram is a summary view of the SSO flow when a user accesses Autoform DM through a web browser. This diagram shows how Keycloak is involved in this process.

External Client Application and Service Access to Autoform DM

External applications and services (such as third-party software) use client IDs and known secrets to authenticate with Keycloak. They then use the token that Keycloak returns to them to authorize their use of Autoform DM services (such as the Autoform DM REST API).

Important

External applications and services (such as Lasernet, other Formpipe applications, and third-party applications) that integrate with Autoform DM must use this “client credentials” flow. If these systems previously used credentials to log in or used API keys, they must be modified to use this flow instead.

The following diagram depicts the SSO flow for an external, third-party application or service: