Navigate to /RoleManager URL then click the Authentication Providers menu.
RoleManager can integration to any external provider that supports:
- OpenID Connect (oidc);
- OAuth;
- ADFS;
- SAML2.
Prerequisites
- Complete application registration in the respective authentication provider, e.g. configure redirect_URL, rely_party;
- Request credentials for connecting to the authentication provider, e.g. client_id, client_secret;
- Setup claims mapping at the authentication provider if required.
Adding an authentication provider
- Click the Create New button,
- Select the provider type from the dropdown; Select the "Other" type for source system that is only required to automatically map users;
- Enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. Azure, then click the Next button;
- Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
- Select the applicable status:
- Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
- Is Default - RoleManager automatically redirects the user to the default authentication provider's login page, i.e. the user does not need to select which provider to log on.
External authentication provider configuration requirement
| Provider | Type | Application Registration | Information Required for RoleManager Configuration | RoleManager Configuration JSON |
|---|---|---|---|---|
| Azure AD | OpenID Connect | How to Configure Azure Active Directory for OneList Redirect URI: https://<OneList hostname>/rolemananger/signin-azure Delegated API permissions:
|
| { "UserNameClaim": "preferred_username", |
| ADFS | ADFS | Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2 Rely Party: https://<OneList hostname>/ Map the SAMAccount-Name to the Name ID claim. Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'. Add rules to map claims:
|
| { "MetadataAddress": "<the meta data address>", "Wtrealm": "https://<OneList host>/" } |
| OpenID Connect | Registration steps: https://developers.google.com/identity/protocols/OpenIDConnect Redirect URL: https://<OneList hostname>/rolemanager/signin-google |
| { "Authority": "https://accounts.google.com", "clientid": "<client id>", "clientsecret": "client secret", "CallbackPath": "/signin-google", "UserNameClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "Scope": [ "email" ] } | |
| Salesforce | OpenID Connect | Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce |
| { "Authority": "https://login.salesforce.com", "ClientId": "<consumer key>", "ClientSecret": "<consumer secret>", "CallbackPath": "/signin-salesforce", "Scope": ["offline_access","api"] } |
| Duo | SAML | Complete the Duo Application Registration | From the "XML metadata" file of the Duo Access Gateway admin console:
| { "EntityId": "https://<onelist hostname>", "CallbackPath": "/signin-duo", "Provider": { "EntityId": "<Duo entity id>", "LoginEndpoint": "<Duo SSO URL>", "X509Certificate": "<Duo certificate>" } } |
| SAP | OpenID Connect | OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html Callback URL: https://<onelist hostname>/rolemanager/signin-sap |
| { "Authority": "<environment/sucscription based URL>", "ClientId": "<Client ID>", "ClientSecret": "<Secret>", "CallbackPath": "/signin-sap" } |