Note that it is strongly advisable to ensure that the base url "/", "/status" and "/metadata" endpoints are not publicly exposed. It is also important that your network settings allow connection to the https://api.mpin.io/.well-known/openid-configuration endpoint, as this is where the program attempts to get the platform configuration. It also needs outgoing access to https://api.mpin.io/authorize, https://api.mpin.io/oidc/certs and https://api.mpin.io/oidc/token.
When the IdP server is running, a RESTful HTTP JSON API server listens at the following endpoints:
| ENTRY POINT | METHOD | DESCRIPTION |
|---|---|---|
| / | GET | returns a list of available endpoints as JSON |
| /status | GET | does a health check and returns the server status as JSON |
| /metadata | GET | Serves the SSO IDP SAML metadata. Can be used to download the metadata file for upload to SPs |
| /sso | GET, POST | SAML endpoint used by SPs to initiate the authentication flow |
| /auth/oidc/miracl | GET | Processes the callback from the OIDC provide (the endpoint is dynamic, see here) |
| /login/:id | GET | IdP-initiated login for a particular SP (identified by :id. For example /login/aws or login/dropbox) |
| /login/:id/*relaystate | GET | IdP-initiated login for a particular SP + RelayState |
| /logout | GET | Terminate the user’s SSO session |
| /services | GET | Serves the list of Service Providers the current user is authorized to access. |
# Flow Diagrams
The following diagrams graphically illustrate the communication between:
-
The MIRACL Trust SSO IdP server
-
The Service Provider(s)
-
The MIRACL Trust SSO authentication platform
