Naviage to /RoleManager URL then click the Authentication Providers menu.
RoleManager supports integration with the following authentication providers
- Azure AD
- ADFS
- Salsforce
- Other provider supporting Open ID Connect protocol
Prerequisites
- Complete application registration in the respective authentication provider, e.g. configure redirect_URL, rely_party;
- Request credentials for connecting to the authentication provider, e.g. client_id, client_secret;
- Setup claim mapping at the authentication provider if require.
How to add an authentication provider in RoleManager
- Navigate to RoleManager and select Authentication Providers menu;
- Click the Create New button, enter the name and display name of the provider. The name has to be unique and starts with letter without space, e.g. AzureAD, then click the Next button;
- For ADFS, the name must be WsFederation;
- For Google, the name must be Google;
- For other providers, the name can be any value.
- Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
- Select the applicable status
- Is Active - RoleManager only interact with active providers;
- Is Interactive - RoleManager displays a button for each interactive provider on the log in page so user can use the external account to log in;
- Is Default - RoleManager automatically redirects the user to the default authentication provider's log on page, i.e. user does not need to select which provider to log on.
External authentication provider configuration requirement
| Provider | Application Registration | Information Required for RoleManager Configuration | RoleManager Configuration JSON |
|---|---|---|---|
| Azure AD | Registration steps: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app. Register for single tenant is recommended. Redirect URI: https://<OneList hostname>/rolemananger/signin-azure |
| { "clientid": "<Application id>", "clientsecret": "<Client secret>", "Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0", "CallbackPath": "/signin-azure", "SaveTokens": false } |
| ADFS | Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2 Rely Party: https://<OneList hostname>/ Map the SAMAccount-Name to the Name ID claim. Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'. |
| { "MetadataAddress": "<the meta data address>", "Wtrealm": "https://<OneList host>/" } |
Registration steps: https://developers.google.com/identity/sign-in/web/devconsole-project Redirect URL: https://<OneList hostname>/rolemanager/signin-google |
| { | |
| Salesforce | Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce |
| { "Authority": "https://login.salesforce.com", "ClientId": "<consumer key>", "ClientSecret": "<consumer secret>", "CallbackPath": "/signin-salesforce", "Scope": ["offline_access","api"] } |
| SAP | OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html Callback URL: https://<onelist hostname>/rolemanager/signin-sap |
| { "Authority": "<environment/sucscription based URL>", "ClientId": "<Client ID>", "ClientSecret": "<Secret>", "CallbackPath": "/signin-sap" } |