Configure external authentication providers

Navigate to /RoleManager URL then click the Authentication Providers menu.

RoleManager can integration to any external provider that supports:

OpenID Connect (oidc);
OAuth;
ADFS;
SAML2.

Prerequisites

Complete application registration in the respective authentication provider, e.g. configure redirect_URL, rely_party;
Request credentials for connecting to the authentication provider, e.g. client_id, client_secret;
Setup claims mapping at the authentication provider if required.

Adding an authentication provider

Click the Create New button,
- Select the provider type from the dropdown; Select the "Other" type for source system that is only required to automatically map users;
- Enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. Azure, then click the Next button;
Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
Select the applicable status:
- Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
- Is Default - RoleManager automatically redirects the user to the default authentication provider's login page, i.e. the user does not need to select which provider to log on.

External authentication provider configuration requirement

Provider	Type	Application Registration	Information Required for RoleManager Configuration	RoleManager Configuration JSON
Azure AD	OpenID Connect	How to Configure Azure Active Directory for OneList Redirect URI: https://<OneList hostname>/rolemananger/signin-azure Delegated API permissions: Microsoft Graph Mail.Read openid profile User.Read	Azure tenant id Application id Client secret	{ "clientid": "<Application id>", "clientsecret": "<Client secret>", "Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0", "CallbackPath": "/signin-azure", "UserNameClaim": "preferred_username", "SaveTokens": false }
Azure AD	SAML	Select this option when Windows AD log in is used as OneList UserName. The prerequisite is Azure AD Premium license. Azure SAML configuration: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications Identifier (Entity ID): https://<OneList hostname> Reply URL (Assertion Consumer Service URL): https://<OneList hostname>/rolemanager/saml-azure Required claim: User Unique Identifier (Name ID) - select the claim organization for your organization: user.onpremisessamaccount - this is user's Windows AD login user.userprincipalname - this is user's UPN user.mail - this is user's email address Additional claims: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	App Federation Metadata Url	{ "EntityId": "https://<OneList hostname>", "CallbackPath": "/saml-azure", "IdAttribute": null, "GivenNameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "SurnameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "EmailAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "Provider": { "EntityId": "<the entityID in the metadata XML>", "LoginEndpoint": "<the SingleSignOnService url in the metadata XML>", "X509Certificate": "<the X509Certificate in the metadata XMl>" } }
ADFS	ADFS	Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2 Rely Party: https://<OneList hostname>/ Map the SAMAccount-Name to the Name ID claim. Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'. Add rules to map claims: sAMAccountName => Name ID sn => Surname givenname => GivenName mail => Email	Meta data address, e.g. https://adfs.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml	{ "MetadataAddress": "<the meta data address>", "Wtrealm": "https://<OneList host>/" }
Google	OpenID Connect	Registration steps: https://developers.google.com/identity/protocols/OpenIDConnect Redirect URL: https://<OneList hostname>/rolemanager/signin-google	client id client secret	{ "Authority": "https://accounts.google.com", "clientid": "<client id>", "clientsecret": "client secret", "CallbackPath": "/signin-google", "UserNameClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "Scope": [ "email" ] }
Salesforce	OpenID Connect	Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce	consumer key consumer secret	{ "Authority": "https://login.salesforce.com", "ClientId": "<consumer key>", "ClientSecret": "<consumer secret>", "CallbackPath": "/signin-salesforce", "Scope": ["offline_access","api"] }
Duo	SAML	Complete the Duo Application Registration	From the "XML metadata" file of the Duo Access Gateway admin console: SSO URL; Entity ID; Signing X509Certificate.	{ "EntityId": "https://<onelist hostname>", "CallbackPath": "/signin-duo", "Provider": { "EntityId": "<Duo entity id>", "LoginEndpoint": "<Duo SSO URL>", "X509Certificate": "<Duo certificate>" } }
SAP	OpenID Connect	OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html Callback URL: https://<onelist hostname>/rolemanager/signin-sap	Client ID Secret	{ "Authority": "<environment/sucscription based URL>", "ClientId": "<Client ID>", "ClientSecret": "<Secret>", "CallbackPath": "/signin-sap" }