AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
Administering Avaya Aura® Device Services
Authentication flows
Request flow
When SSO is enabled on Avaya Aura® Device Services, the following occurs:
The client’s authentication request is forwarded to the embedded Keycloak service.
Keycloak forwards this request to the third-party identity provider, which prompts the Avaya Workplace Client user to log in.
The following diagram illustrates this flow:
The third-party identity provider authenticates the Avaya Workplace Client user login credentials and notifies Keycloak whether the login was successful. Avaya Aura® Device Services only receives an authentication token and returns it to the client.
Response flow
The third-party identity provider passes information about the authenticated user to Keycloak using a SAML assertion or the ID or access token. The exact method depends on how Keycloak is integrated with the identity provider.
The following diagram illustrates a response flow:
The SAML assertion or the ID token contains user authentication information, such as the first name, last name or email address. The identity provider determines which information the SAML assertion or token contain. In most cases, the identity provider takes this information from an enterprise directory source.
Note:
The SAML assertion or the ID token can contain custom attributes, such as memberOf, which contains the LDAP group name that Avaya Aura® Device Services associates with the user role. For information about configuring a third-party identity provider to include custom attributes to SAML assertions or ID tokens, see documentation for the specific identity provider.