OpenID Connect is built on top of the OAuth 2.0 specification. You can use an OpenID Connect provider to set up single sign-on (SSO) and multi-factor authentication (MFA) for authorization and authentication of users through external providers such as Gmail and Okta.
Prerequisites
Configure an OpenID Connect provider and add its callback URL to your browser’s allowlist.
Example URL: https://instance-url.com/s/open_id/login_check
Enabling OpenID Connect
Log in to Campaign Studio.
Click the Settings icon on the top right corner.
Click Configuration > User/Authentication Settings.
Locate the OpenID Connect Settings section.
Set the Enable toggle bar to Yes to enable users to log in to Campaign Studio with their OpenID Connect provider account.
Campaign Studio displays other configuration fields.
Configure the following optional fields based on your requirements:
Set the Require users to authenticate with OpenID Connect toggle bar to Yes so that users must authenticate through OpenID Connect and prevent them from logging in through other methods.
Set the Allow new user registration toggle bar to Yes to enable Campaign Studio to automatically create an account for the user in the instance when they log in with their OpenID Connect provider account, provided the OpenID Connect provider account is not attached to a Campaign Studio user.
In Role for new users, select the default role to assign permissions to new users who register to Campaign Studio with their OpenID Connect provider account.
You can view and select the default role only if you have already created it through the Roles page. If you do not select the default role, Campaign Studio assigns the default Administrator role to all new users.
Configure the following required fields:
In Client URL, enter the URL of your OpenID Connect provider.
In Client ID, enter the App ID of your OpenID Connect provider.
In Client Secret, enter the App secret of your OpenID Connect provider.
In Identifier field, keep the default value sub, which is a unique ID set by the OpenID Connect field provider.
Caution
Do not change the default value of this field as this field links the OpenID Connect provider account of all users to their Campaign Studio account. If you change this value, Campaign Studio deletes existing links between those two accounts of all users.
The following are the possible scenarios if you choose to change the default value:
If you change this value correctly, users can log in with their OpenID Connect provider account, provided the Require users to authenticate with OpenID Connect toggle bar is set to Yes. However, they must relink their accounts.
If you change this value incorrectly, users cannot log in to Campaign Studio. In that case, you must create a Support ticket, and all users must relink their Campaign Studio account through OpenID Connect.
Click Save.
Login scenarios
When you enable OpenID Connect, the Campaign Studio login page starts displaying the Sign In with OpenID Connect button. The login process differs based on the options that you configure.
The following table lists some of the common login scenarios:
Require users to authenticate with OpenID Connect | Allow new user registration | Campaign Studio user account | Linking between Campaign Studio and OpenID Connect provider accounts | Login process |
|---|---|---|---|---|
No | No | Yes | Unlinked | Log in with Campaign Studio credentials. |
No | No | Yes | Linked | Do any of the following:
|
Yes | No | Yes | Unlinked | Do the following:
|
Yes | No | Yes | Linked | Click Sign in with OpenID Connect:
|
No | No | No | No | Do the following:
|
No | Yes | No | No | Do the following:
|
Unlinking existing user accounts
Sometimes the Campaign Studio account of a user gets linked to a wrong OpenID Connect provider account. Therefore, you must unlink the Campaign Studio account from the OpenID Connect provider account.
Log in to Campaign Studio as an administrator or a user with permissions to access the Edit User page of other users.
Click the Settings icon on the top right corner.
Click Users.
Select the user account that you want to unlink.
Campaign Studio displays the Edit User page.
Locate Open ID identifier and delete the unique identifier value for the user.
Click Save & Close.
Campaign Studio unlinks the user account.
Important
Unlinking a user account does not automatically log the user out from the instance if the user is already logged in. To deny a user’s access to Campaign Studio, you must unpublish or delete the Campaign Studio account of the user.
If the Allow new user registration toggle bar is set to Yes, Acquia recommends you to disable the user from your OpenID Connect provider to prevent them from recreating a new Campaign Studio account and regaining access.