Activate |
Only supervisors can activate OIDC for a Formdesk account. For this, one or more OIDC profiles must be created. You do this at the account details (button at the bottom of the forms overview), tab "Access & Security", at the bottom under the heading "OpenId Profiles".
The profiles for Google, Facebook and LinkedIn are already defined by default. Because these are affiliated with a social platform, we call them social logins. These can be activated directly on a Login form. If you want to use this for Formdesk users, you can indicate this within the profile. |
|
|
 |
|
|
|
For each profile that you create and assign, the login screen will have an extra login button. A profile can be created with the + button. |
|
|
 |
|
|
Redirect URL or Reply URL
With your own (non-social) IdPs, a redirect URL (also called reply URL) will always have to be entered within the IdP's system. For Formdesk this is:
https://www.formdesk.com/api/rest/v1/oidc/return |
|
|
 |
|
|
|
Example of a redirect URL in Microsoft Azure AD. |
|
|
Users |
Users are persons with access to the Formdesk account. These are visible within the User Management section. Formdesk has two types of users:
Internal users
These are users who log in using their Formdesk username and password (and possibly additional verification).
External users
These are the users who log in via an IdP.
An external user can be created in 4 ways:
1. Within user management
Supervisors can create external users within the User Management section. For this the external user id must be known. |
|
|
 |
|
|
2. User links his internal user account to an IdP
Supervisors can create internal users within the User Management section. The user can convert this to an external user account himself. |
|
|
3. Automatically at first login
If someone who does not yet have an external user account successfully logs in to an OIDC profile, an external user account can be created automatically. This can be indicated with the (non-social) OIDC profile. It can then also be indicated which general rights this user should be given. |
|
|
 |
|
|
4. Using the REST API:
User accounts can also be created automatically via our REST API. There will then be a software conversation with Formdesk. This often takes place from Identity management systems, so that the creation, modification, deactivation or removal of users can be centrally controlled.
Convert existing internal user accounts to external user accounts (migration)
You can enable or force existing (internal) user accounts to convert to an external user account.
After the user logs in, he can convert the internal user account to an external user account. The user can therefore no longer log in with the Formdesk username and password. For this, the user must have the right to change the personal data. |
|
|
 |
|
|
|
This can be enforced so that the next time the user logs in, they have to switch their account to an external user account. You do this within user management. |
|
|
 |
|
|
|
It is also possible to activate this setting for all internal users with a single action by means of a button within the OIDC settings (Account data -> Access & Security). Migrates all internal user accounts to external user accounts. |
|
|
 |
|
|
|
Another method is to change the internal user account within the user management to an external user account. You must then have the external user id. |
|
|
 |
|
|
A last method is to use our REST API to modify the internal user accounts.
An external user account cannot be converted (back) by the user to an internal user account. A supervisor can do this within user management.
Login
Users log in to the domain of the account: www.formdesk.com/<folderofforms>. The buttons of the OIDC profiles are available here. |
|
|
 |
|
|
It is also possible to log in directly to an OIDC profile by using the following URL: www.formdesk.com/<folderofforms>/oidc/<profilename>*
* At the profile name, spaces must be replaced by a hyphen (-) and accents must be stripped. |
|
|
Visitors |
Formdesk offers you the option to set up your form in such a way that the visitor of a form can view and adjust his / her previous input. To do this, he must log in to the form. We call such a form a Login form.
The login form has two types of visitors:
Internal visitors
These are visitors who log in using a Formdesk username and password (and possibly additional verification).
External visitors
These are visitors who log in to a form via an IdP. In the settings of the login form you can indicate which you want to support for the relevant form. |
|
|
 |
|
|
An external visitor can be created in 3 ways:
1. Automatically at first login
This is the most commonly used method. When opening the form, the visitor registers with (one of) the provided provider(s). If there is no account of this visitor yet, it will be created automatically. A condition is that it is indicated within the settings of the login form that new visitors may be created. |
|
|
 |
|
|
2. Import
You can import visitors and answers to questions of a login form from an Excel file. Check out the manual for more information about this. An imported visitor can then log in to your form with the username and password that you provided or generated by Formdesk. You can invite them to log in via the Group e-mail. The visitor can then convert this account to an OIDC account. The internal visitor then becomes an external visitor. |
|
|
 |
|
|
|
The condition is that the login form states that the visitor may change his / her personal details. |
|
|
 |
|
|
3. Using the REST API (provisioning):
Another method of creating visitor accounts is automated through our REST API. There will then be a software conversation with Formdesk. This often takes place from Identity management systems, so that the creation, modification, deactivation or removal of visitors can be centrally controlled. |
|
|
Available visitor data (claims)
You can automatically fill in certain questions within the form with data from the visitor. You can also display this information in messages.
If an external visitor logs in to a form, Formdesk receives a number of data from this visitor. With the system code
[_fd_ExternalClaim(claim)] you can display this data. Claim represents the variable as passed by the provider. Common claims are: |
| Claim |
Description |
Example |
| Name |
Full name |
John Doe |
| Email |
Email address |
John.doe@johndoe.com |
| Email verified |
Has the email address been verified |
True / false |
| Family name |
Last name |
Doe |
| Given name |
First name |
John |
| Locale |
Country code |
US |
| Picture |
URL to the profile photo |
|
|
Syntax:
[ _fd_ExternalClaim(claim)]
Application examples:
1. As the default value of a question for the e-mail address, you can enter the following to have this field filled in automatically: [_fd_ExternalClaim(email)]
2. You can start a message with Dear [_fd_ExternalClaim(name)], to personalize it. |
|
|
|
|
 |
|
The above setting ensures that the email address is automatically filled in the relevant field within the form. |
|
|
 |
In the above message, the salutation mentions the name of the person completing the form as passed on by the IdP.
Because different claims are sometimes used by different IdPs for the same data, you can optionally include multiple claims in a comma-separated list.
Login
Visitors log in to the URL of the form: http://www.formdesk.com/<folderofforms>/<form>. The buttons of the OIDC profiles are available here. |
|
|
 |
|
|
It is also possible to log in directly to an OIDC profile: http://www.formdesk.com/<folderofforms>/<form>/oidc/<profile>*
* In the profile name, spaces must be replaced by the hyphen (-) and accents must be stripped. |
|
|
Condition access |
|
|
With the option to create multiple OIDC profiles and to specify a condition rule, you can control access based on condition groups of users.
Suppose that a Formdesk account can always be created for a certain group of users and that other users are only allowed to do so with explicit permission. Whether it must be possible to indicate per login form which group(s) of visitors are allowed to log in to it.
You can use the condition for this when creating an OIDC profile. You then create multiple profiles with different conditions.
As an example we take a SURFconext connection of a university. |
 |
|
Only employees |
 |
|
Any member of University Example |
 |
|
Every member of the law faculty of Universiteit Example |
|
|
Identity Management (IAM) |
|
|
Good Identity Management plays an increasingly important role, particularly in large organizations. They want to be able to determine centrally who can use which products and services. There is a growing desire not to have to create new staff members, implement changes or deactivate or remove users per product / service. Formdesk provides this in two ways with OIDC
REST API:
Users and visitors can be created, modified and deleted or inactive by the Identity Management System. our REST API. The following resources are of interest for this:
AddUser / AddVisitor
DeleteUser / DeleteVisitor
UpdateUser / Updatevisitor (Also for making inactive)
Automatically:
It is not necessary to use the REST API to apply IAM. If a user within the Identity system is granted access to Formdesk, this user is automatically created as soon as he logs in for the first time. If a user's details have been changed, they will be automatically adjusted in Formdesk the next time they log in. And if someone is out of service, access will be revoked within the Identity system, after which successful authentication in Formdesk is no longer possible. |
|
|
|
|
|
|
|