How to setup a single sign on configuration using an identity provider.
If you have a group of people who need to access multiple different services by accessing a single online portal or website, then a single sign on solution may be the answer. By following the steps below, hopefully you will be able to establish a single sign on connection with Participate.
Step 1: Choose an Identity Provider
The first thing that we need to set up an SSO configuration is an identity provider. If you already have an identity provider, or any other service that helps manage membership and users' digital identities that can be used to set up SSO, then feel free to skip this step.
An identity provider will allow you to setup identities for your users that can then be used to authenticate them when logging into other applications or services. Participate uses the OpenID Connect protocol for SSO, so you will want to ensure that the identity provider you select supports OpenID Connect. We will use OneLogin as an example as we proceed, but there are many other options including Okta and NoviAMS that will all serve the purpose we need.
Step 2: Import Users
(As above, please skip this step if you already have an identity provider)
Once you have selected an identity provider, you will want to import your users. The easiest method is likely to be importing them via csv file. Most identity providers will have some documentation on how the csv should be formatted, which information needs to be included in which column, etc. You can see an example of how to locate this feature in OneLogin below: 
Step 3: Configure a Generic OIDC App
In the admin view for your identity provider, there should be an option to setup a new application. If you search, you will not find Participate as an option, but you should find an option for a generic OpenID Connect or OIDC app. You will want to use this to set up your SSO configuration with Participate.community. You can see an example of how to find this in OneLogin below: 
Add the login/redirect uri
In your Organization menu on Participate.community you will see an SSO tab. Within this tab, you can add an SSO configuration. Once you add a configuration, you will be presented with a redirect uri that looks similar to this:
https://participate.dev/auth/oidc/unique_identifier/callback
The app configuration in your identity provider will ask for a login uri and a redirect uri. For these fields, you should format the redirect uri provided by removing the "/callback" at the end as follows:
Redirect uri: https://participate.dev/auth/oidc/unique_identifier/callback
Login uri: https://participate.dev/auth/oidc/unique_identifier
Please note that your link will have a real unique identifier that is a string of numbers and letters, the text in the example above is a placeholder.
Once you have added your redirect uri and login uri, you can continue.
Step 4: Provide the OIDC information to Participate.community
In your SSO configuration menu within your Organization, we will need to provide the Participate.community platform some information on your OpenID Connect app that you have setup in your identity provider. We need an Issuer, Client ID, and Client Secret.
The Client ID and Client Secret can generally be found fairly easily within the same menu where you set up the OIDC app. In OneLogin it is under the SSO tab within the OIDC app that you established. All identity providers are a little different though, so you may have to look around the menus a bit, save the configuration first, or provide it with a redirect uri before it will reveal this information to you. You will add these to their respective fields within the SSO configuration menu.
The Issuer can sometimes be a bit trickier to find. Most identity providers will have a default Issuer url listed in the OIDC app configuration menu that you can use. For some providers it may be in documentation regarding how to make requests to the identity provider via OAuth2/SSO, under which there may be a summary of endpoints and how they are formatted. Also, please keep in mind that if you are using a custom domain with your identity provider, the default issuer may not work for you.
Step 5: Select a Community
You will need to specify the community for which this configuration is intended. If you have more than one community you can set up different groups of users in your identity provider to only allow them to login to whichever community you choose.
You will also provide a name and set the status.
If you choose to set the status to displayed, the name will appear to users who view your community login page (see community login link format below), so please name appropriately!
(https://participate.community/communities/your_community_id/login)
The configuration must be set to enabled before it will allow logins via SSO.
Step 6: Assign your users
The final thing you will want to do is ensure that you assign the users that you imported in step 2 to the app that you configured. This will let the identity provider know that these are users who are allowed to login to Participate.community. There may also be an option to display an option for this app on the user's portal if you are using the built in portal from the identity provider, rather than your own website.
All Done!
If you have successfully traded the appropriate information between Participate.community and your identity provider as laid out above, you should now have a functioning SSO configuration. You can test your configuration by using the community login page (see above), if you have set your configuration to "displayed". If your configuration is not set to displayed, you can simply use the login uri you generated from step 3.