Navigate to /RoleManager URL then click the Authentication Providers menu.
...
Adding an authentication provider
Click the Create New button,
Select the provider type from the dropdown; Select the "Other" type for source system that is only required to automatically map users;
Enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. Azure, then click the Next button;
Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
Select the applicable status:
Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
Is Default - RoleManager automatically redirects the user to the default authentication provider's login page, i.e. the user does not need to select which provider to log on.
External authentication provider configuration requirement
Provider | Type | Application Registration | Information Required for RoleManager Configuration | RoleManager Configuration JSON |
---|---|---|---|---|
Azure AD | OpenID Connect | How to Configure Azure Active Directory for OneList Redirect URI: https://<OneList hostname>/rolemananger/signin-azure Delegated API permissions:
|
| { "UserNameClaim": "email", |
Azure AD | SAML | Select this option when using Windows AD log in as OneList UserName. The prerequisite is Azure AD Premium license. Follow Azure SAML configuration instructions to Create Your Own Application: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications Identifier (Entity ID): https://<OneList hostname> Reply URL (Assertion Consumer Service URL): https://<OneList hostname>/rolemanager/saml-azure Required claim:
|
Additional claims:
|
See Add the enterprise application in Azure AD SAML SSO for OneList |
| { |
<https:// |
<OneList> hostname>", |
|
MetaDataUrl": |
"GivenNameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"SurnameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"EmailAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"Provider": {
"EntityId": "<the entityID in the metadata XML>",
"LoginEndpoint": "<the SingleSignOnService url in the metadata XML>",
"X509Certificate": "<the X509Certificate in the metadata XMl>"
}
"<Azure SAML Metadata URL>" | ||||
ADFS | ADFS | Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2 Rely Party: https://<OneList hostname>/ Map the SAMAccount-Name to the Name ID claim. Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'. Add rules to map claims:
|
https://adfs.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml
| { |
OpenID Connect | Registration steps: https://developers.google.com/identity/protocols/OpenIDConnect Redirect URL: https://<OneList hostname>/rolemanager/signin-google |
| { | |
Salesforce | OpenID Connect | Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce |
| { |
Duo | SAML | From the "XML metadata" file of the Duo Access Gateway admin console:
| { | |
SAP | OpenID Connect | OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html Callback URL: https://<onelist hostname>/rolemanager/signin-sap |
| { |