As of July 12, 2021, this "Learn Veracross" site has been deprecated. It will remain live through December 2022, but will no longer be updated. All knowledge content has moved to the new Veracross Community. Please update your bookmarks.
Overview
You can now create OAuth applications for vendors using Veracross. OAuth applications allow for vendors to use Veracross OAuth SSO to enable login to their vendor applications. This can provide a few benefits for Veracross end users:
- User experience: If all of a school’s vendors are integrated via OAuth SSO, then Veracross users only need to manage one account. (Note: Veracross OAuth SSO will work for all Veracross account types, including MFA, Google Accounts, and school domain accounts).
- Security: No user passwords are shared to vendors. Vendors also benefit from Veracross' pre-existing security infrastructure.
- History: All logins via OAuth SSO are tracked in the Login Log.
To view documentation for setting up your own OAuth application, navigate to one of the links below based on your role:
How It Works
At a high level, Veracross OAuth SSO allows users at a school to log in to vendor websites with their existing Veracross account. OAuth, in short, is a “protocol for passing authorization from one service to another without sharing the actual user credentials” (from this informative Cloudflare introductory post on OAuth). Because of this design pattern in OAuth, this SSO functionality is built on top of OAuth 2.0.
The key part of OAuth SSO is the authorization request. By combining different elements of the OAuth Application (Scopes, Redirect URI, and the “client id” of the OAuth Application) and passing these elements through the Veracross Login page, Veracross is able to validate authorization requests for specific apps.
The properties included in this URL aren’t secret, and are accessible from the OAuth Application record:
An example of an OAuth application record. Query these records using the OAuth Applications query on the Identity and Access Management homepage.
Clicking the Authorization URL link brings you to the recognizable Veracross Login page. The OAuth Application name is shown at the top, which helps inform users that they will be redirected to the vendor application after login:
A Veracross login screen.
Successful login will send the user to the vendor’s website. From this point on, the vendor is responsible for the user experience. This login activity will also be saved to the Login Log for future reference.
Note: unlike most public OAuth implementations (eg, “Log In with Facebook”, “Log In with Pinterest”, etc), Veracross users won’t see a separate “approval” screen. This is intentional. For Veracross users, SSO to a vendor website is pre-approved by the setup of the OAuth Application, and no separate approval from end users is necessary.
Supplemental Security Role: OAuth_App_Admin
Veracross has a supplemental security role (OAuth_App_Admin) to enable creating, updating, and deleting OAuth Applications. Users with this security role have full access to OAuth Application records in Axiom.
Important Note: Unlike most record types, SysAdmin_1 doesn’t have automatic permission to create/update/delete OAuth Application records. OAuth_App_Admin can be combined with SysAdmin_1 to enable access for those users. Users with SysAdmin_1 have read-only access to all parts of OAuth Application records, except the client secret (which is only visible for OAuth_App_Admin users). Other users have no access to this record type.
| OAuth Application Feature | OAuth_App_Admin | SysAdmin | Other Users |
|---|---|---|---|
View OAuth Application records (including Redirect URIs and Scopes) | Yes | Yes | No |
Create/Update/Delete OAuth Application records | Yes | No | No |
View OAuth “client secret” field | Yes | No | No |