Configure external authentication providers
Navigate to /RoleManager URL then click the Authentication Providers menu.
RoleManager can integration to any external provider that supports:
- OpenID Connect (oidc), or
- ADFS
Prerequisites
- Complete application registration in the respective authentication provider, e.g. configure redirect_URL, rely_party;
- Request credentials for connecting to the authentication provider, e.g. client_id, client_secret;
- Setup claims mapping at the authentication provider if required.
Adding an authentication provider
- Click the Create New button, enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. AzureAD, then click the Next button:
- For ADFS, the name must be WsFederation;
- For other providers, give it a unique name.
- Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
- Select the applicable status:
- Is Active - RoleManager only interact with active providers;
- Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
- Is Default - RoleManager automatically redirects the user to the default authentication provider's login page, i.e. the user does not need to select which provider to log on.
If a source system is non-oidc compatible but is able to automatically map users, then use the following settings to configure a place-holder provider to support it:
- Configuration JOSN: {"clientid":"na", "callbackpath":"/na", "configuration":{} }
- Status: Is Active = false, Is Interactive = false; Is Default = false;
External authentication provider configuration requirement
| Provider | Application Registration | Information Required for RoleManager Configuration | RoleManager Configuration JSON |
|---|---|---|---|
| Azure AD | Registration steps: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app. Register for single tenant is recommended. Redirect URI: https://<OneList hostname>/rolemananger/signin-azure |
|
{ "clientid": "<Application id>", "clientsecret": "<Client secret>", "Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0", "CallbackPath": "/signin-azure", "SaveTokens": false } |
| ADFS | Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2 Rely Party: https://<OneList hostname>/ Map the SAMAccount-Name to the Name ID claim. Hint: use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'. |
|
{ "MetadataAddress": "<the meta data address>", "Wtrealm": "https://<OneList host>/" } |
Registration steps: https://developers.google.com/identity/sign-in/web/devconsole-project Redirect URL: https://<OneList hostname>/rolemanager/signin-google |
|
{ "Authority" = "https://accounts.google.com" "CallbackPath":"/signin-google", "Scope": ["email"] |
|
| Salesforce | Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce |
|
{ "Authority": "https://login.salesforce.com", "ClientId": "<consumer key>", "ClientSecret": "<consumer secret>", "CallbackPath": "/signin-salesforce", "Scope": ["offline_access","api"] } |
| SAP | OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html Callback URL: https://<onelist hostname>/rolemanager/signin-sap |
|
{ "Authority": "<environment/sucscription based URL>", "ClientId": "<Client ID>", "ClientSecret": "<Secret>", "CallbackPath": "/signin-sap" } |
IQX OneList Documentation - 6.40