Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Navigate to /RoleManager URL then click the Authentication Providers menu.

...

ProviderTypeApplication RegistrationInformation Required for RoleManager ConfigurationRoleManager Configuration JSON
Azure ADOpenID Connect

How to Configure Azure Active Directory for OneList

Redirect URI: https://<OneList hostname>/rolemananger/signin-azure

Delegated API permissions:

  • Microsoft Graph
    • Mail.Read
    • openid
    • profile
    • User.Read
  • Azure tenant id
  • Application id
  • Client secret

{
"clientid": "<Application id>",
"clientsecret": "<Client secret>",
"Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0",
"CallbackPath": "/signin-azure",

"UserNameClaim": "preferred_username",
"SaveTokens": false
}

Azure ADSAML

Select this option when Windows AD log in is used as OneList UserName. The prerequisite is Azure AD Premium license.

Azure SAML configuration: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

Identifier (Entity ID): https://<OneList hostname>

Reply URL (Assertion Consumer Service URL): https://<OneList hostname/saml-azure

Required claim:

  • User Unique Identifier (Name ID) - maps to AD login or UPNselect the claim organization for your organization:
    • user.onpremisessamaccount - this is user's Windows AD login
    • user.userprincipalname - this is user's UPN
    • user.email - this is user's email address

Additional claims:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • App Federation Metadata Url
{
"EntityId": "https://<OneList hostname>",
"CallbackPath": "/saml-azure",
"IdAttribute": null,
"GivenNameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"SurnameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"EmailAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"Provider": {
"EntityId": "<the entityID in the metadata XML>",
"LoginEndpoint": "<the SingleSignOnService url in the metadata XML>",
"X509Certificate": "<the X509Certificate in the metadata XMl>"
}
}
ADFSADFS

Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2

Rely Party: https://<OneList hostname>/ 

Map the SAMAccount-Name to the Name ID claim. 

Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'.

Add rules to map claims:

  • sAMAccountName => Name ID
  • sn => Surname
  • givenname => GivenName
  • mail => Email


  • Meta data address, e.g. 
https://adfs.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml
{
"MetadataAddress": "<the meta data address>",
"Wtrealm": "https://<OneList host>/"
}
GoogleOpenID Connect

Registration steps: https://developers.google.com/identity/protocols/OpenIDConnect

Redirect URL: https://<OneList hostname>/rolemanager/signin-google

  • client id
  • client secret
{
"Authority": "https://accounts.google.com",
"clientid": "<client id>",
"clientsecret": "client secret",
"CallbackPath": "/signin-google",
"UserNameClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"Scope": [
"email"
]
}
SalesforceOpenID Connect

Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm

Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce

  • consumer key
  • consumer secret
{
"Authority": "https://login.salesforce.com",
"ClientId": "<consumer key>",
"ClientSecret": "<consumer secret>",
"CallbackPath": "/signin-salesforce",
"Scope": ["offline_access","api"]
}
DuoSAMLComplete the Duo Application Registration

From the "XML metadata" file of the Duo Access Gateway admin console:

  • SSO URL;
  • Entity ID;
  • Signing X509Certificate.
{
"EntityId": "https://<onelist hostname>",
"CallbackPath": "/signin-duo",
"Provider": {
     "EntityId": "<Duo entity id>",
     "LoginEndpoint": "<Duo SSO URL>",
     "X509Certificate": "<Duo certificate>"
   }
}
SAPOpenID Connect

OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html

Callback URL: https://<onelist hostname>/rolemanager/signin-sap

  • Client ID
  • Secret
{
"Authority": "<environment/sucscription based URL>",
"ClientId": "<Client ID>",
"ClientSecret": "<Secret>",
"CallbackPath": "/signin-sap"
}