Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Naviage Navigate to /RoleManager URL then click the Authentication Providers menu.

RoleManager can integration to any external provider that supports supports:

  • OpenID Connect (oidc), or
  • ADFS

Prerequisites

  • Complete application registration in the respective authentication provider, e.g. configure redirect_URL, rely_party;
  • Request credentials for connecting to the authentication provider, e.g. client_id, client_secret;
  • Setup claim claims mapping at the authentication provider if requirerequired.

Adding an authentication provider

  1. Click the Create New button, enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. AzureAD, then click the Next button;:
    • For ADFS, the name must be WsFederation;
    • For other providers, give it a unique name.
  2. Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
  3. Select the applicable status:
    • Is Active - RoleManager only interact with active providers;
    • Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
    • Is Default - RoleManager automatically redirects the user to the default authentication provider's log on login page, i.e. the user does not need to select which provider to log on.

If a source system is non-oidc compatible but is able to automatically map users, then use the following settings to configure a place-holder provider to support it:

  • Configuration JOSN: {"clientid":"na", "callbackpath":"/na", "configuration":{} }
  • Status: Is Active = false, Is Interactive = false; Is Default = false;

External authentication provider configuration requirement

ProviderApplication RegistrationInformation Required for RoleManager ConfigurationRoleManager Configuration JSON
Azure AD

Registration steps: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app. Register for single tenant is recommended.

Redirect URI: https://<OneList hostname>/rolemananger/signin-azure

  • Azure tenant id
  • Application id
  • Client secret
{
"clientid": "<Application id>",
"clientsecret": "<Client secret>",
"Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0",
"CallbackPath": "/signin-azure",
"SaveTokens": false
}
ADFS

Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2

Rely Party: https://<OneList hostname>/ 

Map the SAMAccount-Name to the Name ID claim. 

Hint: use use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'.

  • Meta data address, e.g. 
https://adfs.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml
{
"MetadataAddress": "<the meta data address>",
"Wtrealm": "https://<OneList host>/"
}
Google

Registration steps: https://developers.google.com/identity/sign-in/web/devconsole-project

Redirect URL: https://<OneList hostname>/rolemanager/signin-google

  • client id
  • client secret

{

"Authority" = "https://accounts.google.com"
"clientid":"<client id>",
"clientsecret":"client secret",

"CallbackPath":"/signin-google",

"Scope": ["email"]
}

Salesforce

Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm

Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce

  • consumer key
  • consumer secret
{
"Authority": "https://login.salesforce.com",
"ClientId": "<consumer key>",
"ClientSecret": "<consumer secret>",
"CallbackPath": "/signin-salesforce",
"Scope": ["offline_access","api"]
}
SAP

OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html

Callback URL: https://<onelist hostname>/rolemanager/signin-sap

  • Client ID
  • Secret
{
"Authority": "<environment/sucscription based URL>",
"ClientId": "<Client ID>",
"ClientSecret": "<Secret>",
"CallbackPath": "/signin-sap"
}