Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Navigate to /RoleManager URL then click the Authentication Providers menu.

...

ProviderTypeApplication RegistrationInformation Required for RoleManager ConfigurationRoleManager Configuration JSON
Azure ADOpenID Connect

How to Configure Azure Active Directory for OneList

Redirect URI: https://<OneList hostname>/rolemananger/signin-azure

Delegated API permissions:

  • Microsoft Graph
    • Mail.Read
    • openid
    • profile
    • User.Read
  • Azure tenant id
  • Application id
  • Client secret

{
"clientid": "<Application id>",
"clientsecret": "<Client secret>",
"Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0",
"CallbackPath": "/signin-azure",

"UserNameClaim": "preferred_usernameemail",
"SaveTokens": false
}

Azure ADSAML

Select this option when using Windows AD log in as OneList UserName. The prerequisite is Azure AD Premium license.

Follow Azure SAML configuration instructions to Create Your Own Applicationhttps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

Identifier (Entity ID): https://<OneList hostname>

Reply URL (Assertion Consumer Service URL): https://<OneList hostname>/rolemanager/saml-azure

Required claim:

  • User Unique Identifier (Name ID) - select the claim organization for your organization:
    • user.onpremisessamaccount - this is user's Windows AD login
    • user.userprincipalname - this is user's UPN
    • user.mail - this is user's email address

Additional claims:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • App Federation Metadata Url e.g. https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
{
"EntityId": "https://<OneList hostname>",
"CallbackPath": "/saml-azure",
"IdAttribute": null,
"GivenNameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"SurnameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"EmailAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"Provider": {
"EntityId": "<the entityID in the metadata XML>",
"LoginEndpoint": "<the SingleSignOnService url in the metadata XML>",
"X509Certificate": "<the X509Certificate in the metadata XMl>"
}
}
ADFSADFS

Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2

Rely Party: https://<OneList hostname>/ 

Map the SAMAccount-Name to the Name ID claim. 

Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'.

Add rules to map claims:

  • sAMAccountName => Name ID
  • sn => Surname
  • givenname => GivenName
  • mail => Email


  • Meta data Metadata address, e.g. 
https://adfs.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml
{
"MetadataAddress": "<the meta data address>",
"Wtrealm": "https://<OneList host>/"
}
GoogleOpenID Connect

Registration steps: https://developers.google.com/identity/protocols/OpenIDConnect

Redirect URL: https://<OneList hostname>/rolemanager/signin-google

  • client id
  • client secret
{
"Authority": "https://accounts.google.com",
"clientid": "<client id>",
"clientsecret": "client secret",
"CallbackPath": "/signin-google",
"UserNameClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"Scope": [
"email"
]
}
SalesforceOpenID Connect

Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm

Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce

  • consumer key
  • consumer secret
{
"Authority": "https://login.salesforce.com/",
"ClientId": "<consumer key>",
"ClientSecret": "<consumer secret>",
"CallbackPath": "/signin-salesforce",
"Scope": ["offline_access","api"]
}
DuoSAMLComplete the Duo Application Registration

From the "XML metadata" file of the Duo Access Gateway admin console:

  • SSO URL;
  • Entity ID;
  • Signing X509Certificate.
{
"EntityId": "https://<onelist hostname>",
"CallbackPath": "/signin-duo",
"Provider": {
     "EntityId": "<Duo entity id>",
     "LoginEndpoint": "<Duo SSO URL>",
     "X509Certificate": "<Duo certificate>"
   }
}
SAPOpenID Connect

OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html

Callback URL: https://<onelist hostname>/rolemanager/signin-sap

  • Client ID
  • Secret
{
"Authority": "<environment/sucscription based URL>",
"ClientId": "<Client ID>",
"ClientSecret": "<Secret>",
"CallbackPath": "/signin-sap"
}