Creating OAuth Applications will be necessary to enable Single Sign On (SSO) for vendors working with your school. Creating OAuth Applications is a self-serve workflow, and doesn’t require approval or involvement from Veracross Support.
Some parts of an OAuth Applications need to be provided by a vendor ahead of time, such as:
- Name: This is how the OAuth Application will be displayed in Axiom, the Veracross Login page, and in the Login Log. We recommend using a name tied to the vendor or their product.
- Internal Notes: A brief description for easy reference to the functionality of the application. This field is only visible to administrators in Axiom.
- Contact Email: A technical support email provided by the vendor or creator of the connected application.
- Scopes: “Scopes” define access permissions for an application. SSO is the only available scope at this time. The SSO scope enables Single Sign On, which enables users to log in to vendor websites securely with their Veracross Account.
- Redirect URIs: This is the list of URLs that a user can be redirected to after a successful login via SSO. These URLs need to be provided by vendors and must support OAuth.
To create a new OAuth application, you must have the OAuth_App_Admin supplemental security role, even if you have a SysAdmin security role. You can read more about the OAuth_App_Admin supplemental role in this update.
To create an OAuth Application first navigate to the Identity & Access Management homepage. Run the “Find OAuth Application” query in the “Configuration” section. From that query, open the Organize menu and click “Add Record…”
Once the application is set up, an OAuth App Admin user will need to send certain information to the vendor, so that the vendor can complete the setup process:
- The OAuth app client ID
- The OAuth app client secret
- The list of scopes attached to the OAuth app
Optionally, an OAuth App Admin user can also send the “Authorization URL” connected to any of the redirect URLs. These are the pre-built links that the vendor will need to send their users through the OAuth SSO login flow. However, vendors familiar with OAuth authorization should be able to construct these URLs themselves. These links are provided in Axiom for your convenience.