ADP uses the OpenID Connect protocol to allow end-users to authenticate their identity with ADP credentials. ADP is the identity provider responsible for verifying the identity of users and applications, and issuing identity tokens upon successful authentication of those users and applications.
The basic authentication flow is:
- An end-user agent accesses your consumer application.
- Your consumer application redirects the end-user agent to the ADP authorization endpoint.
- ADP authenticates the end-user's ADP credentials and obtains the end-user's consent to access the end-user's information requested by your consumer application.
- ADP redirects the end-user agent to the redirect URI pre-registered with ADP; your consumer application receives an authorization code as a parameter of the redirection.
- You consumer application contacts the ADP token endpoint to exchange the authorization code for an access token.
- ADP authenticates your consumer application, verifies the validity of the authorization code and provides an access token to your application.
- If your consumer application needs additional identity context to identify the end-user, your consumer application uses the access token provided by ADP to access the userinfo API and retrieve the end-users identity profile.
The following figure illustrates the login process.
ADP provides libraries that you can use to take care of many of the implementation details of authenticating users and gaining access to ADP APIs. If you choose not to use a library, follow the instructions in the remainder of this document, which describes the HTTP request flows that underly the available libraries.
You must obtain the following from ADP in order to implement OpenID Connect with ADP:
- Signed Certificate
- Client Credentials
OpenID Connect Endpoints
The ADP endpoints involved in the OpenID Connect protocol are described below.