• Home
• Login with External IDP
• MYSQL Single Sign-On

Single Sign On (SSO) For Your Apps Using MySQL Database

---

Login with MySQL DB Database as User Store

miniOrange provides ready to use Single Sign-On solution using MySQL Database. This solution ensures that you are ready to roll out secure access to any of your application using MySQL Credentials within minutes.

Where is SSO (Single Sign-On) with MySQL Database applicable?

Various User Stores i.e. CRM/HRM/CMS/LMS where users are stored, do not support Single Sign-On or any other authentication protocol inherently.Here miniOrange MySQL SSO solution comes into the picture and provides different SSO services to these type of applications.

Follow the Step-by-Step Guide given below for SSO for your apps using MySQL database

1. Setup MySQL as Authentication Source

• Login into your miniOrange Admin console and navigate to Identity Providers >> Add Identity Provider.



• Under the Choose Identity Provider, select Database from the All dropdown.



• Search for MySQL and select it from the list.



• In the Connection Config section, enter the following details:




Field	Description
Database Identifier	Enter the Database Identifier—the name of the database you are adding. It can be any name relevant to the User-store.
Database Host	The following table shows the default values and syntax for the fields on the configuration page. Database Type Database Host Default Port Number Password Hash Algorithm MySQL jdbc:mysql:thin:@<host>:<port>:<SID>/<database-name> 3306 PHPASS The Database Host URL is the Connection URL. The hostname can be localhost or any remote host. The default port for MySQL Database is 3306. The database-name is the database that stores the users for authentication.
Admin Username	For localhost, the Admin Username is typically 'root'. For a remote host, contact your administrator.
Admin Password	Enter the Admin Password that corresponds to the Admin Username.
User Table	The User Table is the database table where users are stored for authentication. For example, in WordPress the User Table is wp_users.
Username column	The Username column is the column that stores the usernames used for authentication. For example, in WordPress the Username Column is user_login.
Password column	The Password column is the column that stores the users' passwords. For example, in WordPress the Password Column is user_pass.

• Click on Next to proceed to the Advanced settings for the MySQL DB.




User-activated query	In which you can enter the query for checking if the User is Active or not. Example: select user_activated_column from user_tables where user_name=? and user_activated_column='true';
Add Query Strings	Add the query strings for the columns you want to import from the database. This can be useful for attribute mapping: Example: SELECT '##FIRSTNAME##', FIRSTNAME FROM users WHERE USERNAME=?
Password Hash Algorithm	The Hashing type which is used for MySQL DB is, PHPASS.
Domain Mapping	Enter comma-separated domain names to restrict this IdP to specific domains. To allow all domains, leave it empty.
Enable for EndUsers	Enable this option, if you want your endusers to log in to their corresponding End-User Dashboard using IDP Credentials.
Sync Users in miniOrange	Users will be created/updated in miniOrange when logging into the End User dashboard. Only applies when 'Enable for End Users' is enabled.
Fallback Authentication	If you enable this option, then the users present in an external database will be authenticated directly through the miniOrange IdP, without being created in the miniOrange IdP. It is helpful in case when the database from where the authentication is being performed contains some private or sensitive information about users.

• Click on Next to proceed to next step.
• In the User Sync tab, enter the SQL queries for User Exists, Create User, Update User, and Delete User operations.




User Exists Queries	Enter the SQL query to check if a user exists in the database. Example: SELECT COUNT(*) FROM users WHERE username = ?
Create User Queries	Enter the SQL query to create a new user in the database. Example: INSERT INTO users (username, password) VALUES (?, ?)
Update User Queries	Enter the SQL query to update user information in the database. Example: UPDATE users SET password = ? WHERE username = ?
Delete User Queries	Enter the SQL query to delete a user from the database. Example: DELETE FROM users WHERE username = ?

• Go to the Attributes tab and configure the attributes for the MySQL DB database.
• Send Custom Attributes, if you enable this option, then only the attributes configured below will be sent in attributes at the time of login.

  Note: Add a query string for each attribute you want to fetch from the database.

• Click on Add Attribute to add a new attribute.
• Enter the Attribute Name sent to SP which is the attribute name that will be sent to the Service Provider.
• Enter the Attribute Name from Database which is the attribute name that will be fetched from the Database.
• Example: first_name → ##FIRSTNAME##, last_name → ##LASTNAME##, username → ##USERNAME##, email → ##EMAIL##



• Click on Save to save the attribute.
• Click on Save to save the configuration.

2. Test Connnection

• In order to check if connection is established with the Database or not, Test Connection is required to be done. Kindly navigate to Actions baside the app to click on three dot icon and select Test Connection.



• Enter the credentials of the user, stored in the User Table of the corresponding Database for testing if the connection is correctly established. Click on Test to check if connection was successful or not.
  
  
  
  
• If Test Connection is successful, you are good to go!.
• If Test Connection is not successful, kindly check your configuration once again or contact your administrator. Another probable reason can be that, you are entering wrong credentials for Test Connection.

3. User Provisioning

• Navigate to Provisioning settings.



• Select the Database from the drop-down menu.
• Check the provisioning features.



• To import the users from Database, go to the User Provisioning, Click on the Import Users button.
• Select the Database from the drop-down menu and save the configuration.



• Now go to the Users >> User List and you will find the all the users imported from Database.

4. Configure your Application in miniOrange

• Login to miniOrange Admin Console.
• Go to Apps >> Add Application.

• SAML Application
• OAuth Application
• JWT Application

• Under Choose Application, select SAML/WS-FED from the All Apps dropdown.



• In the next step, search for your application from the list. If your application is not found, search for custom and you can set up your app via Custom SAML App. Click on Submit New App Request if you want to submit a new SSO application request.



• Under the Basic tab, you can configure the following settings.

  Display Name (required)	Enter the Display name for your app as per your preference.
  SP Entity ID or Issuer (required)	Is used to identify your app against the SAML request received from SP. The SP Entity ID or Issuer can be in either URL or in String format.
  ACS URL or Assertion Consumer Service URL (required)	Defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: https://www.domain-name.com/a/[domain_name]/acs
  Audience URL	As the name suggests, specifies the valid audience for SAML Assertion. It is usually the same as SP Entity ID. If Audience URL is not specified separately by SP, leave it blank.
  Single Logout URL	The URL where you want the logout request to be consumed and where your users should be redirected after single logout from the applications.
  Upload App Logo	Upload a logo for your application.




• Click Next to go to the Advanced settings. Configure the following settings.

  Signed Request	Enable this to sign the saml request sent by SP. Provide the X509 certificate or upload the certificate.
  Sign Response	Enable this if you want the entire SAML response to be signed.
  Sign Assertion	Enable this if you want only the assertion within the SAML response should be signed.
  Signature Algorithm	Select the algorithm that will be used to sign the SAML request/response.
  Encrypt Assertion	Select this if you want to encrypt the assertion in SAML response and provide the algorithm and certificate for encryption.
  Relay State	Enter the URL where you want the user to redirect after sign in to the application.
  Override Relay state	Enable this to override the default relay state of the SP.
  Logout Response Binding	A Logout Response is sent in reply to a Logout Request from SP. It could be sent by an Identity Provider or Service Provider.
  IdP initiated Logout Request Binding:	A Logout Response is sent in reply to a Logout Request from the IdP dashboard. It could be sent by an Identity Provider or Service Provider. HTTP Redirect - A Logout Response with its Signature HTTP POST - A Logout Response with the signature embedded
  SAML Authentication Validity Period	The time for which the authentication should be considered valid and the user should be able to perform SSO. After that, the user will have to sign in again.
  Enable Shared Identity	This feature lets you control whether a specific application can be accessed by shared user or not.




• Click Next to go to the Login Options tab. Here, you can configure the following settings:

  Primary Identity Provider	Select the identity source from where you want the authentication to happen. You will see the list of all configured sources.
  Force Authentication	Enable this to enforce authentication on each request to access the application.
  Show On End User Dashboard	Disable this if you do not want the app to be visible for all users on end user dashboard.




• Click Next to go to the Attributes tab. Here you can add and configure the attributes to be sent to the app.

  NameID	NameID is the unique identifier for the authenticated user included in the SAML assertion. It allows the Service Provider to recognize and map the user to an account. Generally, NameID is a username or Email Address.
  NameID Format	Defines what type of identifier is used in the NameID (e.g., email, persistent, transient) so the SP can correctly map the user. If the SP does not request a specific format, the IdP can leave it unspecified and use a default.
  Add Name Format	Name Format defines how attribute names are represented in a SAML assertion (e.g., as simple strings or URIs). It helps the SP correctly interpret attribute naming and ensures consistency between IdP and SP.
  Enable Multi-Valued Attributes	Enabled:Commas (,) and semicolons (;) are treated as separators, so the attribute is split into a clean list. Example: roles = ['admin', 'editor', 'viewer']. Disabled:Commas and semicolons are not treated as separators, so the attribute stays as one combined string. Example: roles = "admin;editor;viewer".
  Attribute Mapping	You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, full name, username, email, custom profile attributes, and user groups, etc.




• Click Next to go to the Policies tab. You need to Save the Application first to configure the policy for the application.



• After the application is saved you can configure the policy for that application.



• Click on the Assign group button. A new Configure Group Assignment modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group Name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it’s successfully added.



• In the Metadata tab, click on any of the two tabs:
• Click on miniOrange as Idp If you want to use miniOrange as a User-Store i.e., your user identities will be stored in miniOrange.
• Click on External source as IdP If you want to authenticate your users via any external Identity Provider like Active Directory, Okta, OneLogin, etc. or any other custom IDPs.





• You can Download Metadata, Download Certficate, copy Metadata URL or copy Certificate based on your requirements.
• Similarly, you can get the values of SAML Login URL, SAML Logout URL, IDP Entity ID or issuer, IDP Logout URL, Metadata URL from here according to your metadata requirements.

• Under Choose Application, select OAuth/OpenID from the All Apps dropdown.



• Search for your application from the list. If your application is not found, search for oauth and you can set up your app via OAuth2/OpenID Connect.



• In the Basic tab, enter the following details:

  Display Name	Enter the Display Name (i.e., the name for this application).
  Redirect URL	Enter the Redirect URL. Make sure it follows this format: https://<mycompany.domain-name.com>
  Client ID	Auto-generated. Click the copy icon to use it in your application.
  Client Secret	Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it.
  Subject (Optional)	Select an attribute from the dropdown list.
  Description (Optional)	Add a description if required.
  Upload App Logo (Optional)	Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.

• Click on Save.



• You will be redirected to the Policies section.



• Click on the Assign group button. A new Configure Group Assignment modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group Name and click on Create Group.
  
  
  
  • Click on Next.
• Assign Policies: Add the required policies to the selected groups. Enter the following details:
• First Factor: Select the login method from the dropdown.
• If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
• If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it's successfully added.



• You can go to the Advanced tab to change other settings, such as the expiry time for Access, JWT, and Refresh tokens.
• Access Token Expiry: For how long the provided access token should be valid from creation. [In Hours] A new access token has to be generated after the expiry.
• JWT Token Expiry: For how long the generated JWT token should be valid. [ In Hours ]
• Refresh Token Expiry: For how long the generated refresh token should be valid. [In Days] You will have to generate a new refresh token after the mentioned no. of days.
• Enable Shared Identity: This feature lets you control whether a specific application can be accessed by shared user or not.



• Switch to the Login options tab.

  Primary Identity Provider	Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
  SSO FLows	Select the desired SSO flow from the dropdown, such as miniOrange as IDP, miniOrange as Broker, or miniOrange as Broker with Discovery Flow.
  Show on Enduser Dashboard	Enable this option if you want to show this app in the end-user dashboard.
  Force Authentication	If you enable this option, users will have to log in every time, even if their session already exists.
  Allowed Logout URIs	Click the Allowed Logout URIs link to add a list of post-logout redirect URIs. Users will be redirected to one of these URIs after a successful logout from miniOrange.
  Single Logout Enabled	Enable this option to send logout requests to other applications when logging out from this app.
  Sign in URL	You can include user attributes in the sign-in URL using placeholders like {{username}}, {{primaryEmail}}, {{customAttribute1}}, etc. These placeholders will be dynamically replaced with the actual user values during the IdP-initiated SSO flow. You can generate url using following attributes: username, primaryEmail, alternateEmail, fname, lname, primaryPhone and customAttribute1. The url could be like this login.com/{{username}}/?primaryEmail={{primaryEmail}} Query Parameter Format: https://<sso-url>>?username={{username}} https://<sso-url>>?username={{username}}&email={{primaryEmail}} Path Parameter Format: https://<sso-url>>/{{customAttribute1}}/{{customAttribute2}}/?username={{username}}




• Switch to the Attributes tab.
• Enable Multi-Valued Attributes Option:



• When this option is enabled, both commas (,) and semicolons (;) are treated as delimiters. Any attribute containing these characters will be automatically split and converted into a multi-valued attribute based on their positioning.
• This feature ensures that attributes with multiple values are delivered in a structured format instead of as a single concatenated string.
• For example: when this option is enabled, Attributes will be will appear as a list like roles = ['admin', 'editor', 'viewer'] instead of a single string like roles = "admin;editor;viewer".
• When this option is disabled, attributes stored as a single concatenated string with commas (,) and semicolons (;) are treated in the way they are stored instead of a structured list.
• In this case, commas (,) and semicolons (;) are not treated as separators, so the values remain combined in one string.
• Getting Required App Details / Updating App Information:
• Go to the Apps section from the side menu. From the list of configured apps, locate the app you created. Click the three-dot icon next to the app and select the Edit option.



• You can edit any of the above-mentioned details in case you want to change them.



• OAuth Endpoints:
• Authorization Endpoint [ https://<your-company-name>.xecurify.com/moas/idp/openidsso ]
• This endpoint is used to authenticate the end user with their miniOrange credentials. This authenticates the users and returns a response back to the redirect_url based on the parameters passed in the request. [Mainly the authorization code]
• This endpoint takes the following parameters:
• Client_id: client_id of the application as configured in the previous steps
• Redirect_uri: The callback URL where you want to return the response
• scope: scope of authorization or level of access, you can send a single or multiple scopes separated by ‘+’. e.g “email+openid”. We support the following scopes :
• Email: returns the email address of the user in the response
• Profile: returns user profile information in the response
• OpenID: returns the id_token containing user profile details.
• This returns the authorization code and the state parameters in the response.
• Token Endpoint [ https://<your-company-name>.xecurify.com/moas/rest/oauth/token ]
• This endpoint returns the following:
• Id_token ​Contains user attributes and signatures which you have to validate with provided public certificate.

iss	https URI that indicates the issuer
sub	identifier of the user at the issuer
aud	client_id of the requesting client
nonce	the nonce parameter value received from the client
exp	expiration time of this token
iat	time when this token was issued
auth_time	time the authentication happened
at_hash	the first half of a hash of the access token

• Access_token: Valid for 1 hour and can be used to access user info or other endpoints until it is expired.
• This endpoint takes the following parameters in the request:
• Client_id: client_id of the application as configured in the previous steps.
• Client_secret: client_secret of the application as configured in the previous step.
• Redirect_url: The callback url where the response should be posted.
• Code: The authorization code received from the authorization endpoint.
• Grant_type: The OAuth grant you want to use for the request.
• User Info Endpoint [ https://<your-domain>.xecurify.com/moas/api/oauth/getuserinfo ] Required in case of OAuth Only
• This API can be used to fetch user profile information with an access token that was assigned to the user. A GET request is sent to the user info endpoint.
• You need to send the access token in the authorization header to receive the user details.
• OpenID Single Logout Endpoint [ https://<your-domain>.xecurify.com/moas/idp/oidc/logout?post_logout_redirect_uri ] :
• This endpoint removes the active user session from the miniOrange IDP and redirects the user to the URL mentioned in the post_logout_url parameter.

• Under Choose Application, select JWT from the All Apps dropdown.



• Search for your application from the list. If your application is not found, search for jwt and you can set up your app via JWT App.



• You can configure the following details in the application:

  Display Name	Enter the Display Name (i.e. the name for this application)
  Redirect URL	Enter the Redirect URL (i.e. the endpoint where you want to send/post your JWT token). You can add multiple redirect URLs by separating them with a ‘;’.E.g. abc.com;xyz.com
  Client ID	The Client ID is shown in the field below. Click the clipboard icon to copy it.
  Client Secret	Client Secret is hidden by default. Click the eye icon to reveal it and use the clipboard icon to copy it. This is used in the HS256 signature algorithm for generating the signature.
  Description (Optional)	Add a description if required.
  Upload App Logo (Optional)	Upload an app logo (Optional). The app will be shown in the end-user dashboard with the logo that you configure here.




• Click Save.
• You will be redirected to the Policies section.



• Click on the Assign group button. A new Configure Group Assignment modal tab will open.
  • Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
  
  
  
  • If you need to create new group. Click on Add New Group button.
  • Enter the Group name and click on Create Group.
  
  
  
  • Click on Next.
  • Assign Policies: Add the required policies to the selected groups. Enter the following details:
  • First Factor: Select the login method from the dropdown.
  • If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
  • If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.



• Click on Save. Policies will be created for all the selected groups.
• You will see the policy listed once it's successfully added.



• Click on Advanced tab.
• Enter the following details as required:

  Access Token	Enter the access token that will be sent to your redirect URL after a user logs in. This token helps your app know the user is allowed to access certain features.
  ID Token Expiry (In Mins)	Set how long (in minutes) the ID token will be valid. After this time, the user will need to log in again to get a new token.
  Subject	Choose what information, like the user’s email address, will be used to identify them in the token. This helps your app know which user is logged in.
  Signature Algorithm	Select your signature algorithm from the dropdown.
  The Logout URL of your application	Enter the web address where users should be sent after they log out.
  Enable Shared Identity	This feature lets you control whether a specific application can be accessed by shared user or not.




• Signature Algorithms for JWT

RSA-SHA256

• Asymmetric, uses a set of private and public keys to generate and validate the signature which is included in the JWT token.
• The private key is used to generate the signature on the IDP side.
• The public key is used to verify the signature on the SP side.
• We provide the public key for this.



HS256

• Symmetric, uses the same secret key to generate and validate the signature
• The secret key in this case is configurable from the app configuration page.
• Switch to Login options tab.

  Primary Identity Provider	Select the default ID source from the dropdown for the application. If not selected, users will see the default login screen and can choose their own IDP. [Choose miniOrange in this case.]
  Force Authentication	If you enable this option, users will have to log in every time, even if their session already exists.
  Enable User Mapping	Enable this option, if you want the app to show which user is signed in when it responds.
  Show On End User Dashboard	Enable this option if you want to show this app in the end-user dashboard.




• Switch to Attributes tab.
• Enable Multi-Valued Attributes Option:



• When this option is enabled, both commas (,) and semicolons (;) are treated as delimiters. Any attribute containing these characters will be automatically split and converted into a multi-valued attribute based on their positioning.
• This feature ensures that attributes with multiple values are delivered in a structured format instead of as a single concatenated string.
• For example: when this option is enabled, Attributes will be will appear as a list like roles = ['admin', 'editor', 'viewer'] instead of a single string like roles = "admin;editor;viewer".
• When this option is disabled, attributes stored as a single concatenated string with commas (,) and semicolons (;) are treated in the way they are stored instead of a structured list.
• In this case, commas (,) and semicolons (;) are not treated as separators, so the values remain combined in one string.
• Navigate to Endpoints and copy the following details:



• Single Sign-On URL:
  • This URL is used to initiate user authentication to obtain the JWT token.
  • Take redirect_uri as one of the query parameters.
  • After successful authentication on the IDP end, an active user session is created in the IDP and the user is redirected to the redirect_uri with the JWT token.
• Single Logout URL:
  • This URL is used to log out the user from the IDP by removing the active user session.
  • Take redirect_uri as one of the query parameters.
  • After removing the active user session, the IDP redirects the user to the redirect_uri.
• Reply back URL for IdP initiated logout:
  • This URL is used to initiate the logout in case the JWT user login was IDP Initiated [User logged in to the dashboard
    first and then initiated the login for the app from the dashboard.]
  • After logging out the user from the IDP, the user is redirected to the IDP dashboard login page.

External References

• What is Identity Brokering?
• Learn more about SSO