This user guide helps you understand and configure the different authentication methods you can use with Countly.
Countly offers two types of authentication services, OpenID Connect and Single Sign-On. You can configure them into your application according to your needs.
OpenID Connect
The OpenID Connect feature is available only in Countly Enterprise.
OpenID Connect (also noted as OIDC) is a simple identification process that allows clients to verify the identity of the end-User based on the authentication performed by our server, as well as to obtain basic profile information about the End-User.
Benefits of OpenID Connect
OpenID Connect allows clients using web, desktop, and mobile devices to request and receive information about authenticated sessions and end-users. The specification suite is extensible thus, allowing participants to use optional features such as encryption of identity data. It is also API-friendly, and usable by any mobile or web application.
OpenID Connect has optional mechanisms for robust signing-in and encryption. All of these features are integrated into the protocol itself.
Getting Started
To use the OpenID Connect feature, you have to configure it following the steps below:
- In your OIDC package, rename plugins/oidc/config.sample.js to plugins/oidc/config.js.
- Modify the configuration providing the Open ID issuer’s host for well-known endpoints, callback, and client ID.
- Modify the configuration to set default to Countly permission for new users.
- Enable the OIDC feature and restart the Countly process.
To enable OIDC, use the command below:
countly plugins enable oidc
countly restart
For reference, this is an example snippet of the configuration option:
const config = {
// Issuer host with published .well-known endpoints
auth_url: "https://accounts.google.com",
// Issuer callback endpoint
auth_callback: "https://oauth2.googleapis.com/token",
// Issuer provided client ID
client_id: "somevalue.apps.googleusercontent.com",
// should user become global admin on account creation
global_admin: true,
// list of apps the user should have admin access to on account creation
admin_of: [],
// list of apps the user should have read access to on account creation
user_of: []
};
Single Sign-On
The Single Sign-On feature is available only in Countly Enterprise.
This feature is not used in current versions.
Benefits of Single Sign-On
This feature lets you authenticate users of your product into Countly, without going through a login form, reducing the extra costs when developing an authentication process.
Getting Started
To use this feature, you will first need to create a Countly user corresponding to each of your product users.
First, go to Management > User Management, and click on Create User. The following page will appear.
- Enter the basic information of the user that you are creating.
- Optionally, upload a profile picture of the user.
- Optionally, assign the user to a user group.
- Determine the role of the new user. Note that this option will only be available if your own user has admin rights.
- Select the application to which the user has admin access.
- Select the application that you want the user to have access to.
Secondly, send your user to http://yourcountly.com/sso/login?user=username&api_key={your-api-key} to land the user directly on Countly. To do so, consider that:
- user: Countly username or email
- api_key: Countly API key for the user
All the possible parameters that can be used in your SSO request are:
- user username or email address of the Countly user
- api_key: Countly API key for the user.
- redirect URL: To redirect to the required page after the SSO.
- ignore if true: the user will be redirected to the redirect URL even if there was an error.
In order to log the user out after they log out from your product, use http://yourcountly.com/sso/logout with the optional URL parameter redirect in order to set where the user will be sent to after logout.