Setup SSO with Rofim as the IdP
This page describes how to configure Single Sign-On (SSO) in the scenario where** Rofim acts as the Identity Provider** (IdP) and a partner application connects to Rofim as a relying party (RP).
This setup allows users from the partner’s system to access Rofim services using their existing accounts, without managing separate credentials.
Glossary
| Terme | Description |
|---|---|
| IdP | Identity Provider that authenticates and manages digital identities (here: Rofim) |
| SSO | Single Sign-On, a mechanism allowing users to access multiple systems using a single identity |
| OpenIDConnect | Authentication protocol built on top of OAuth 2.0 |
| Relying Party (RP) | The partner application relying on Rofim for user authentication. |
| Claim | Key-value pair containing user attributes (e.g. name, email, etc.) |
Technical prerequisites
Rofim exposes an OpenID Connect Provider (OP) endpoint accessible from the partner system.
The partner must have an OIDC-compliant client configured (web app, backend service, or mobile app).
The partner must provide at least one Redirect URI that will be used for authentication callbacks.
Both systems must use HTTPS and secure token exchange mechanisms.
Security considerations
The partner delegates authentication to Rofim. Rofim is responsible for securely managing user identities and access.
Both sides must ensure compliance with local security and privacy standards (e.g. HDS, GDPR).
Two-factor authentication (2FA) is enforced by Rofim.
Token lifetime and scopes are managed by Rofim and should be aligned with the partner’s session policy.
SSO Setup
Principles
In this configuration:
- Rofim acts as the OpenID Connect Provider (
OP). - The partner acts as the Client (
Relying Party, RP). - The authentication flow follows the standard
OIDC Authorization Code Flow:- The partner redirects the user to Rofim for authentication.
- The user authenticates with Rofim (login).
- Rofim issues an
ID Tokenand optionally anAccess Token. - The tokens are sent to the partner via the configured
Redirect URI. - The partner verifies and consumes the tokens to establish the session.
Configuration data provided by Rofim
Rofim will provide the following information to the partner in order to setup the SSO in its OP
| Data | Valeur |
|---|---|
| Discovery URL | OIDC well-known configuration endpoint. |
ClientID | ID du client configuré sur l'IdP Rofim |
Secret (via lien sécurisé) | Secret associated with the client (must be transmitted securely) |
Scopes
Rofim will provide by default followings scope to the client. No other scope can be requested by the client.
| Scope | Description |
|---|---|
openid | Mandatory for OIDC authentication |
email | Used for user identification and matching |
partner_profil | Includes user attributes such as name, surname, RPPS, etc... |
Claims
The following claims may be provided by Rofim to the partner.
These claims are included either in the ID Token or can be retrieved via theUserinfo endpoint.
| Claim | Scope | Description |
|---|---|---|
email | email | Primary email address (used for user reconciliation) |
sub | openid | Unique ID of the user on Rofim |
family_name | partner_profil | exemple : Dupond |
given_name | partner_profil | exemple : Marc |
formatted_name | partner_profil | exemple : Dr. Marc Dupond |
title | partner_profil | exemple : Dr. |
initials | partner_profil | exemple : MD |
specialty | partner_profil | Speciality of the user, can be absent or empty |
account_type | partner_profil | Type of account |
country | partner_profil | Country of the user |
city | partner_profil | City of the user |
RPPS | partner_profil | RPPS of the user, if the user has one. |
Configuration data provided by the Partner
| Data | Valeur |
|---|---|
Redirect URL(s) | The URI(s) to which Rofim will redirect after successful login |
Updated 4 months ago