Client Secret

A client secret is a secret key that your application passes to an authorization server, that proves your application is who it says it is. If another application is trying to impersonate your application, it will be rejected because it will not have the correct secret.

Please ensure that all of your secrets are protected and not shared with anyone. However, if your client secret is ever compromised, it is quick and easy to generate and apply a new one.

Identity Provider Secrets

When setting up a custom Identity Provider, you’ll see that each one will issue you a Client ID and a Client Secret. This Secret should be entered into LogonLabs, as per the Identity Provider setup documentation. Please note that the LogonLabs application stores this Secret securely, so that it can’t be accessed by anyone but you.

The Identity Provider Secret allows LogonLabs to broker the SSO connection between your website and the Identity Provider.

You’ll also see that you can generate a new Secret at any time, if needed. When generating a new Secret, please ensure that you enter the new Secret into your LogonLabs custom Provider.

LogonLabs Secrets

When you create your App in LogonLabs, you’ll see your App Secret under App Settings in the left menu. This is the Secret that your application will use when it connects to LogonLabs for SSO validation.

As with Identity Providers, you can generate a new Secret and delete old ones at any time. You can also have more than one Secret at each time, and each will be valid and usable. If a Secret becomes compromised, please generate a new one and update your application accordingly. Once your application is using the new Secret, you can delete the old one.

LogonLabs App Secrets vs. User Secrets

The above section refers specifically to App Secrets, which only work with the LogonLabs App they are generated for.

However, LogonLabs also allows for Secrets to be created at the user level. Once created for your user account, you can assign the secret to any LogonLabs App that you have access to. This is useful if you are managing multiple websites, potentially for clients, and want to have a unified way of managing Secrets.