Fellow

This feature is currently only available by request only on our Enterprise plans. ​ If you unable to use Google or Microsoft for authentication and require the use of a custom OpenID Connect identity provider for compliance purposes, contact us. ​ ​Note: Users will still need to connect their Google or Microsoft calendar after sign-in through SSO.

1. From a workspace administrator account, navigate to the <a href="https://fellow.app/account/integrations/" rel="nofollow noopener noreferrer" target="_blank">Account Integrations section in Workspace Settings</a>, and select the Single Sign On card.
 
 
 
2. Select OpenID, and hit Next
 
 
3. You will then see this form. Copy the Redirect URL. (Keep this form open, it will be filled in the next step)

Set up your Identity Provider (IdP) to add a new OpenID Connect application.

Follow the steps provided to you by your Identity Provider or Federated Login solution in order to set up the new application connection. 

You may require some or all of the following information:

- Redirect URL: use the Redirect URL you copied above
- ​Scopes Requested: <code>openid</code>, <code>email</code>, <code>profile</code>
- Response Type: <code>code</code>
- Response Mode: <code>query</code>
- Grant Type:​
- Required Claims: <code>sub</code>, <code>email</code>, <code>family_name</code>, <code>given_name</code>, <code>name</code>
 - The <code>sub</code> claim is a standard claim that comes from the <code>openid</code> scope. It contains a string that uniquely identifies the user. See the <a href="https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow noopener noreferrer" target="_blank">list of standard claims</a> as per the OpenID spec.
 - The <code>email</code> claim is used in order to ensure that the user is being logged into the correct account. If the incorrect email is provided, or if the claim does not match the email of a provisioned user in Fellow, the login may fail.
- Optional Claims: <code>picture</code>, <code>zoneinfo</code>

Once you have generated the required application, obtain the "well known" Discovery URL which contains the required OpenID configuration information. Usually this is in the form of <code>https://mycompany.myIDP.com/.well-known/openid-configuration</code>. ​ You will also need to generate a Client ID and Client Secret. Keep those for the next step.

1. Enter the Discovery URL, Client ID, and Secret obtained from your IdP. You can also customize the text in the login button that will appear via the "Custom Provider Name" field. ​ When you are done, hit Save.
 
 
2. If the information was entered correctly, a new window will pop up asking you to log in via your IdP. This serves as a test. If you are able to log in, the integration will be enabled. 
 ​
3. Once you have successfully tested the integration, try signing out of your account, and signing in using the new sign-in button that appears for your subdomain.
 
 ​
4. If you are successfully able to log into your own admin account, you may now go back to the SSO Configuration page and enable the checkbox to "Require authentication exclusively through Custom OIDC".
 If exclusive auth is enabled, only the OIDC button will show on the login screen, and all users must log in using that method. ​
 
 ​

1. Enable the OIDC integration in Fellow. 
 1. From a workspace administrator account, navigate to the <a href="https://fellow.app/account/integrations/" rel="nofollow noopener noreferrer" target="_blank">Account Integrations section in Workspace Settings</a>, and select the Single Sign On card.
 
 
 
 2. Select OpenID, and hit Next
 
 
 3. You will then see this form. Copy the Redirect URL. (Keep this form open, it will be filled in the next step)
 
 
 
2. Set up your Identity Provider (IdP) to add a new OpenID Connect application.
 Follow the steps provided to you by your Identity Provider or Federated Login solution in order to set up the new application connection. 
 
 You may require some or all of the following information:
 - Redirect URL: use the Redirect URL you copied above
 - ​Scopes Requested: <code>openid</code>, <code>email</code>, <code>profile</code>
 - Response Type: <code>code</code>
 - Response Mode: <code>query</code>
 - Grant Type:​
 - Required Claims: <code>sub</code>, <code>email</code>, <code>family_name</code>, <code>given_name</code>, <code>name</code>
 - The <code>sub</code> claim is a standard claim that comes from the <code>openid</code> scope. It contains a string that uniquely identifies the user. See the <a href="https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow noopener noreferrer" target="_blank">list of standard claims</a> as per the OpenID spec.
 - The <code>email</code> claim is used in order to ensure that the user is being logged into the correct account. If the incorrect email is provided, or if the claim does not match the email of a provisioned user in Fellow, the login may fail.
 - Optional Claims: <code>picture</code>, <code>zoneinfo</code> 
 Once you have generated the required application, obtain the "well known" Discovery URL which contains the required OpenID configuration information. Usually this is in the form of <code>https://mycompany.myIDP.com/.well-known/openid-configuration</code>. ​ You will also need to generate a Client ID and Client Secret. Keep those for the next step.
 ​
3. Entering the information and testing. 
 1. Enter the Discovery URL, Client ID, and Secret obtained from your IdP. You can also customize the text in the login button that will appear via the "Custom Provider Name" field. ​ When you are done, hit Save.
 
 
 2. If the information was entered correctly, a new window will pop up asking you to log in via your IdP. This serves as a test. If you are able to log in, the integration will be enabled. 
 ​
 3. Once you have successfully tested the integration, try signing out of your account, and signing in using the new sign-in button that appears for your subdomain.
 
 ​
 4. If you are successfully able to log into your own admin account, you may now go back to the SSO Configuration page and enable the checkbox to "Require authentication exclusively through Custom OIDC".
 If exclusive auth is enabled, only the OIDC button will show on the login screen, and all users must log in using that method. ​
 
 ​