Sentinel Identity Provider (IDP)

>What Is the Sentinel Identity Provider (IDP)?

>Viewing Sentinel Identity Provider (IDP) Endpoints

>Actions for Sentinel Identity Provider (IDP) Endpoints

>About OAuth Clients
See OAuth Clients

>Choosing a Grant Type
See Choosing an OAuth Grant Type

What Is the Sentinel Identity Provider (IDP)?

The Sentinel EMS Identity Provider (IDP) is a service that manages and authenticates user identities to provide them with access to various resources or applications. When working with the Sentinel REST API, the Sentinel IDP authenticates a user and issues an access token that can be used to access protected resources.

When a user wants to access a resource or application that requires authentication, the IDP plays a crucial role. The user is redirected to the IDP's authentication endpoint, where they are prompted to enter their credentials (for example, user name and password). The IDP then verifies the user's identity and generates an access token that represents the user's authorization to access the requested resource.

Viewing Sentinel Identity Provider (IDP) Endpoints

From the navigation pane in the vendor portal, select Identities & Access > Sentinel IDP to view the Sentinel Identity Provider (IDP) page.

The following information can be viewed for OpenID Connect (OIDC) Endpoints using the Sentinel Identity Provider (IDP) page.

Endpoint	Description
Token Endpoint	The client application interacts with the token endpoint to exchange an authorization code grant for an access token. This endpoint is also used for the Client Credentials grant type to get an access token. The client uses a Refresh token to obtain a new access token. The URI for this endpoint always ends in token.
Authorization Endpoint	This endpoint is used by clients to initiate the authentication process. The client redirects the end user to this endpoint, where they are presented with a login screen and are prompted to authenticate and authorize the OAuth client to access their protected resources. The URI for this endpoint always ends in auth.

Endpoint

Description

Token Endpoint

The client application interacts with the token endpoint to exchange an authorization code grant for an access token. This endpoint is also used for the Client Credentials grant type to get an access token.

The client uses a Refresh token to obtain a new access token.

The URI for this endpoint always ends in token.

Authorization Endpoint

This endpoint is used by clients to initiate the authentication process. The client redirects the end user to this endpoint, where they are presented with a login screen and are prompted to authenticate and authorize the OAuth client to access their protected resources.

The URI for this endpoint always ends in auth.

For more details, see OAuth Grant Types.

Creating Access Tokens

This section describes the basic procedures for creating access tokens using Sentinel EMS REST API calls. You can expand on these basic procedures to use any required Sentinel REST API call.

>Create an access token using the JWT for a user (Authorization Code flow)

>Create an access token using the JWT for the vendor application (Client Credentials flow)

NOTE The steps and attribute names described in this section use Postman. On other API platforms, the steps and attribute names may differ slightly.

During these procedures, you need to copy data from Sentinel EMS to your API platform. To copy a value, click Copy next to the required value. The following table explains where to locate the required values.

Attribute	Location
Client ID	From the navigation pane, select Identities & Access > OAuth Client. Then expand the line item for the relevant OAuth client and copy the value from the Credentials tab.
Client Secret	From the navigation pane, select Identities & Access > OAuth Client. Then expand the line item for the relevant OAuth client and copy the value from the Credentials tab.
Redirect URIs	The redirect URI used in your application. (If you want to copy from Sentinel EMS, then from the navigation pane, select Identities & Access > OAuth Client. Expand the line item for the relevant OAuth client and copy the value from the OAuth Client Attributes tab.)
Token Endpoint	From the navigation pane, select Identities & Access > Sentinel IDP.
Authorization Endpoint	From the navigation pane, select Identities & Access > Sentinel IDP.

To create an access token using the JWT for a user (Authorization Code flow):

1.Create an OAuth client.

a.From the navigation pane, select Identities & Access > OAuth Clients to view the OAuth Clients page.

b.Create a confidential OAuth client, as described in Adding an OAuth Client.

2.In your API platform, configure the authorization details. Use the Get Entitlement endpoint to create a GET call using the JWT for the user. Do this by configuring a new authorization token for the required grant type. For information on choosing a grant type, see Choosing an OAuth Grant Type.
Paste or enter the values for the following attributes. The attribute names listed here are from Postman. The attribute names in other API platforms may differ slightly.

•In Grant Type, select the required Grant Type, such as Authorization Code.

•In Auth URL, paste the value from Authorization Endpoint.

•In Callback URL, paste the value from Redirect URIs.

•In Access Token URL, paste the value from Token Endpoint.

•In Client ID, paste the value from Client ID.

•In Client Secret, paste the value from Client Secret. (Required only for the Confidential Client Type)

•Set Scope to openId.

3.Clear the cookies and get an access token. You are redirected to the Sentinel IDP sign in page. Enter the user credentials (user name and password) of an existing Sentinel EMS contact to log in.

4.After successful authentication, use the newly created token to call the Sentinel EMS API. The relevant entitlement for that contact is returned with administrator privileges. You can also call other entities as needed.

To create an access token using the JWT for the vendor application (Client Credentials flow):

1.Create an OAuth client.

a.From the navigation pane, select Identities & Access > OAuth Clients to view the OAuth Clients page.

b.Create a confidential OAuth client, as described in Adding an OAuth Client.

2.In your API platform, configure the authorization details. Use the Get Entitlement endpoint to create a GET call using the JWT for the application. Do this by configuring a new authorization token for the required grant type. For information on choosing a grant type, see Choosing an OAuth Grant Type.
Paste or enter the values for the following attributes. The attribute names listed here are from Postman. The attribute names in other API platforms may differ slightly.

•In Grant Type, select the required Grant Type, such as Client Credentials.

•In Access Token URL, paste the value from Token Endpoint.

•In Client ID, paste the value from Client ID. (Required only for the Confidential Client Type)

•In Client Secret, paste the value from Client Secret. (Required only for the Confidential Client Type)

•Set Scope to openId.

3.Clear the cookies and get an access token.

4.Use the newly created token to call the Sentinel EMS API. The relevant entitlements are returned with administrator privileges. You can also call other entities as needed.

Actions for Sentinel Identity Provider (IDP) Endpoints

The following table lists the actions available for Sentinel endpoints:

Action		Description
	Copy	Copies the endpoint to the Clipboard.