Spam Experts Help

Configure OAuth/OpenID Connect Settings

We support OAuth 2/OpenID Connect as a method for Admin and Email Level users to use Single Sign On (SSO) authentication when accessing Spam Experts. This means that you can use an alternative set of credentials to authenticate when accessing the system e.g. Office365, Google OAuth 2.0 etc. For specific details, see Configure SSO/OAuth with Office 365 and Configure SSO/OAuth with Google.

With OAuth set up, the web-based login to the Control Panel remains available. If two-factor authentication (2FA) is active, this step is still required when using the Spam Experts login link. Admins are able to (re)set their password to access the control panel - this will not affect the OAuth setup.

In order to be able to connect with OAuth, the following tasks must be carried out:

  1. In the OAuth Provider app, add the Spam Experts login URL.
  2. The provider generates: 

    • a Client ID and Secret
    • Authentication/User/Token endpoints
  3. In Spam Experts:
    1. In the Branding Management page, add a custom hostname to the Hostname field - this will be used to generate the OAuth login link.
    2. To ensure OAuth is enabled for Email Level users, tick Enable in the SSO/OAuth login for email users panel and enter the button label.
    3. In the OAuth Settings page, enter the details generated by the provider in step 1 (above). See Configure OAuth Settings in Spam Experts below.
  4. Any end-user who wants to access Spam Experts using authentication via the OAuth provider must create an account with the provider.

Configure OAuth Settings in Spam Experts

Using the information provided by the chosen authentication provider, configure the necessary OAuth settings in Spam Experts:

  1. in the Admin Level Control Panel, select Users & Permissions > OAuth Settings.
  2. The Private brand login / OAuth page is displayed.
  3. To enable OAuth login, activate the OAuth login toggle button at the top of the page.
  4. The Login link is the URL generated by the system for the OAuth login. The URL should contain the customer's domain.

  5. Your service provider should be able to provide the following information to enter in either tab:
    • Provider URL
    • Client ID - Generated by the provider after registering Spam Experts details with the provider.
    • Client Secret - Generated by the provider after registering Spam Experts details with the provider.
    • Token Endpoint - Generated by the provider after registering Spam Experts details with the provider.
    • Authorization Endpoint - Generated by the provider after registering Spam Experts details with the provider.
    • User info endpoint - Generated by the provider after registering Spam Experts details with the provider
    • Jwks Uri - URL for the OAuth Client's JWK Set (JWK) document. If the OAuth Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the OAuth Client.
    • Change password URL (optional) - URL where SSO users can change their passwords. It can contain an optional "redirect_to" token which will be replaced with the actual link to redirect the user after a successful password change.
    • Logout URL (optional) - URL where SSO users will be redirected upon logging out. It will get the following parameters: "post_logout_redirect_uri" and "id_token_hint".
    • Use Nonce validation - Select Yes
    • Login button text e.g. 'Login with {{ brand_name}}'
    • User identification method:
      • Subject - External ID: Will match the OAuth subject with the local "External ID" field - use this when the local username and the remote directory system are not the same, and email is not a suitable choice e.g. telephone number.
      • Subject - Username: Will match the OAuth "subject" with the local username - use this when the local username and the one in the remote directory system are identical.
      • Verified email: Will match the OAuth email address with the local email address (this is the most common option).
    • Invitation flow (optional)
      • Invitation URL - the URL to use to sign up if the user has no account
      • Redeem invitation URL - the link to use in the sign-up email
  6. Click Save settings.

Configure SSO/OAuth with Office 365

Configure SSO/OAuth with Google

For any other providers, please refer to the relevant provider's website.