Chemaxon Cloud uses OAuth2 / OpenID-Connect (OIDC) based SSO via integration with Okta. For the connected applications, Okta is acting as the ID provider.
See more about application authentication in the Basic application integration guide, section Implementing Okta OIDC integration.
{warning} Make sure the session timeout of your application matches the expiration time of Okta tokens, which is set to 60 minutes. In addition to the usual security concerns, this is also important because the user might remain logged in and able to use the application even after the Chemaxon Cloud subscription expires.
To better understand OIDC, please refer to the following resources:
Resources:
In addition, tokens issued by Okta contain several custom claims.
{
"sub": "<Okta identifier of user>",
"name": "Chemaxon User",
"email": "user@chemaxon.com",
"ver": 1,
"iss": "https://auth.cloud.chemaxon.com/oauth2/aus3qkblpwzIDQBJF417",
"aud": "<client id of tenant>",
"iat": 1689082361,
"exp": 1689085961,
"jti": "ID.IyBvkTOI6_vFdhArM4ulCBIkUcPJ7G1snqKkEBYygW8",
"amr": ["pwd"],
"idp": "00o1155jbhORNoP1w417",
"preferred_username": "user@chemaxon.com",
"auth_time": 1689082219,
"at_hash": "93Pf6uljTQ2NTlbouWKSeQ",
"clientId": "<client id of tenant>",
"cxn_groups": ["cc-user", "cc-admin", "USER"],
"cxn_tenant_domain_name": "platform",
"terminus_env": "integration"
}
Resources:
In addition, tokens issued by Okta contain several custom claims.
{
"ver": 1,
"jti": "AT.iBAZQzXqU38DY_NsdGf5Yanfi4i8bcefuvG7G5ym8IM.oarp3mmccvbETJ5NM416",
"iss": "https://auth.cloud.chemaxon.com/oauth2/aus3qkblpwzIDQBJF417",
"aud": "api://chemaxon",
"sub": "user@chemaxon.com",
"iat": 1689082361,
"exp": 1689085961,
"cid": "<client id of tenant>",
"uid": "<Okta identifier of user>",
"scp": ["offline_access", "terminus", "openid", "email", "profile"],
"auth_time": 1689082219,
"clientId": "<client id of tenant>",
"cxn_groups": ["cc-user", "cc-admin", "USER"],
"cxn_tenant_domain_name": "platform",
"terminus_env": "integration"
}