Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Navigate Navigate to /RoleManager URL then click the Authentication Providers menu.

RoleManager can integration to any external provider that supports:

  • OpenID Connect (oidc);

  • OAuth;

  • ADFS;

  • SAML2.

...

Prerequisites

  • Complete application registration in

    the respective authentication provider, e.g. configure redirect_URL, rely_party;Request credentials for connecting to the

    the respective authentication provider, e.g.

    client

    configure redirect_

    id

    URL,

    client_secret;
  • Setup claims mapping at the authentication provider if required.

Adding an authentication provider

...

  • rely_party;

  • Request credentials for connecting to the authentication provider, e.g.

...

  • Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
  • Is Default - RoleManager automatically redirects the user to the default authentication provider's login page, i.e. the user does not need to select which provider to log on.

External authentication provider configuration requirement

...

How to Configure Azure Active Directory for OneList

Redirect URI: https://<OneList hostname>/rolemananger/signin-azure

Delegated API permissions:

  • Microsoft Graph
    • Mail.Read
    • openid
    • profile
    • User.Read

...

  • Azure tenant id
  • Application id
  • Client secret

...

{
"clientid": "<Application id>",
"clientsecret": "<Client secret>",
"Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0",
"CallbackPath": "/signin-azure",

"UserNameClaim": "preferred_username",
"SaveTokens": false
}

...

Select this option when Windows AD log in is used as OneList UserName. The prerequisite is Azure AD Premium license.

Azure SAML configuration: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

Identifier (Entity ID): https://<OneList hostname>

Reply URL (Assertion Consumer Service URL): https://<OneList hostname/saml-azure

Required claim:

  • User Unique Identifier (Name ID) - select the claim organization for your organization:
    • user.onpremisessamaccount - this is user's Windows AD login
    • user.userprincipalname - this is user's UPN
    • user.email - this is user's email address

Additional claims:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

...

  • App Federation Metadata Url

...

  • client_id, client_secret;

  • Setup claims mapping at the authentication provider if required.

Adding an authentication provider

  1. Click the Create New button,

    • Select the provider type from the dropdown; Select the "Other" type for source system that is only required to automatically map users;

    • Enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. Azure, then click the Next button;

  2. Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.

  3. Select the applicable status:

    • Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;

    • Is Default - RoleManager automatically redirects the user to the default authentication provider's login page, i.e. the user does not need to select which provider to log on.

External authentication provider configuration requirement

Provider

Type

Application Registration

Information Required for RoleManager Configuration

RoleManager Configuration JSON

Azure AD

OpenID Connect

How to Configure Azure Active Directory for OneList

Redirect URI: https://<OneList hostname>/rolemananger/signin-azure

Delegated API permissions:

  • Microsoft Graph

    • Mail.Read

    • openid

    • profile

    • User.Read

  • Azure tenant id

  • Application id

  • Client secret

{
"clientid": "<Application id>",
"clientsecret": "<Client secret>",
"Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0",
"CallbackPath": "/signin-azure",

"UserNameClaim": "email",
"SaveTokens": false
}

Azure AD

SAML

Select this option when using Windows AD log in as OneList UserName. The prerequisite is Azure AD Premium license.

Follow Azure SAML configuration instructions to Create Your Own Applicationhttps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

Identifier (Entity ID): https://<OneList hostname>

Reply URL (Assertion Consumer Service URL): https://<OneList hostname>/rolemanager/saml-azure

Required claim:

  • User Unique Identifier (Name ID) - select the claim applicable for your organization:

    • user.onpremisessamaccount - this is user's Windows AD login

    • user.userprincipalname - this is user's UPN

    • user.mail - this is user's email address

Additional claims:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

",
"SurnameAttribute": "
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

",
"EmailAttribute": "
  • http://schemas.xmlsoap.org/ws

/2005/05/identity/claims/emailaddress",
"Provider":
  • /2005/05/identity/claims/emailaddress

See Add the enterprise application in Azure AD SAML SSO for OneList

  • App Federation Metadata Url e.g. https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

{
"EntityId": "

<the entityID in the metadata XML>

<https://<OneList> hostname>",
"

LoginEndpoint

CallbackPath": "

<the SingleSignOnService url in the metadata XML>",

/saml-azure"
"

X509Certificate

MetaDataUrl":"

<the X509Certificate in the metadata XMl>"
}

<Azure SAML Metadata URL>"
}

ADFS

ADFS

Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2

Rely Party: https://<OneList hostname>/ 

Map the SAMAccount-Name to the Name ID claim. 

Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'.

Add rules to map claims:

  • sAMAccountName =>

Name ID
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

  • sn =>

Surname
GivenName
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  • mail =>

EmailMeta data
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


  • Metadata address, e.g. 

https://adfs.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml

  • The name of ADFS authentication provider in RoleManager must be WsFederation

{
"MetadataAddress": "<the meta data address>",
"Wtrealm": "https://<OneList host>/"
}

Google

OpenID Connect

Registration steps: https://developers.google.com/identity/protocols/OpenIDConnect

Redirect URL: https://<OneList hostname>/rolemanager/signin-google

  • client id

  • client secret

{
"Authority": "https://accounts.google.com",
"clientid": "<client id>",
"clientsecret": "client secret",
"CallbackPath": "/signin-google",
"UserNameClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"Scope": [
"email"
]
}

Salesforce

OpenID Connect

Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm

Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce

  • consumer key

  • consumer secret

{
"Authority": "https://login.salesforce.com/",
"ClientId": "<consumer key>",
"ClientSecret": "<consumer secret>",
"CallbackPath": "/signin-salesforce",
"Scope": ["offline_access","api"]
}

Duo

SAML

Complete the Duo Application Registration

From the "XML metadata" file of the Duo Access Gateway admin console:

  • SSO URL;

  • Entity ID;

  • Signing X509Certificate.

{
"EntityId": "https://<onelist hostname>",
"CallbackPath": "/signin-duo",
"Provider": {
     "EntityId": "<Duo entity id>",
     "LoginEndpoint": "<Duo SSO URL>",
     "X509Certificate": "<Duo certificate>"
   }
}

SAP

OpenID Connect

OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html

Callback URL: https://<onelist hostname>/rolemanager/signin-sap

  • Client ID

  • Secret

{
"Authority": "<environment/sucscription based URL>",
"ClientId": "<Client ID>",
"ClientSecret": "<Secret>",
"CallbackPath": "/signin-sap"
}