OpenIDConnect Authentication Memo

‣

Table of contents

‣

history modifications

1. Preamble

OpenIDConnect is a simple identification layer based on OAuth2.0 (itself an identification device).

🚦

You need an Identity Provider. In the rest of this document, IDP refers to your Identity Provider (e.g. Azure AD / Keycloak).

Note 1

Data expected by Virage Group :

Customer identification (clientId)
Redirect URL

Data provided by Virage Group :

Callback URL

Note 2

In version 6.5.2, automatic account provisioning from the identity provider is not available. It will be available in version 6.5.3.

On the other hand, the correspondence between the identifier in Project Monitor and in the identity provider must be identical (see end of document). This may require the reworking of data on the implementations Project Monitor existing.

Note 3

The module OIDC must be fully deployed on the application server. The installation procedure is described in the Operating Manual.

2. Configuration with KeyCloak

In the monitormaker.properties Configure authentication strategy : OpenIdConnectAuthenticator

com.vc.mm.authenticator= com.vc.mm.modules.user.OpenIdConnectAuthenticator

🚩

See the Operating folder for more information on available authentication strategies.

Log in to the Project Monitor

Click on Administration > Advanced settings > Technical configuration >OpenIdConnect authentication.

Copy property value to clipboard Return URL - Callback

Log in to the Keycloak administration interface

Create a new OpenIDConnect client, specific to the application Project Monitor

Enter an identifier for this new client. The openid-connect protocol must be selected:

In the configuration screen of the newly created client :

Select choice public for the property Access Type.
Enhancing the value of property Valid Redirect URIs with the value extracted from Project Monitor (Return URL - callback)
Save the information you have entered

Go to screen Realm Settings
Copy link URL to clipboard Open ID Endpoint Configuration :

Go to the OpenIdConnect configuration screen in Project Monitor :

Enter in the field Customer ID the name of the customer newly declared in the previous step.
Paste into field Metadata URL the URL copied in the previous step
Click on Register.

Mapping between users defined in Project Monitor and in Keycloak :

For identification to work, it is necessary to ensure that the identifier defined in Project Monitor and Keycloak is identical.

The user ID is available in the user details screen under Keycloak :

This identifier corresponds to the sub contained in the OpenIDConnect token

3. Configuration with AzureAD

Log in to the Project Monitor

Click on Administration > Advanced settings > Technical configuration >OpenIdConnect authentication.

Copy property value to clipboard Return URL - Callback

Log in to the AzureAD administration interface:

Paste the callback url here:

In the application details screen, click on the Termination points
Copy url Open ID Connect metadata Document
Also copy the value of Application ID (customer)

Go to the OpenIdConnect configuration screen in Project Monitor :

Enter in the field " Customer ID "the name of the customer newly declared in the previous step
Paste into field Metadata URL the URL copied in the previous step.
Save changes.

Log in to the AzureAD administration interface:

Create a secret (Secret is mandatory in Azure AD).
Copy the secret value to the clipboard and transfer it to the Project Monitor

4. Test configuration

Create your users in Project Monitor if you haven't already
Create your users in your IDP if you haven't already done so
Connect to the application to validate the configuration

5. Automatic account creation

With the OpenIDConnect feature, a user's account can be automatically created on first login.

The following information is stored during creation:

Identifier
Name
First name
Email

To activate this option, the Automatically create missing user accounts at login must be checked:

At the time of creation, the user has no rights or role on the application. It is up to the functional administrator to associate the user's roles afterwards.

6. Modification of login ID (Keycloak only)

By default, the user ID in Project Monitor is the same as that of the identity repository.

This is the sub.

Although not recommended by the OpenIDConnect protocol, it is possible to change the identifier to something more explicit, such as the user's email address.

Configuration example

7. Login without OpenIdConnect

Some users of Project Monitor are unknown to the IDP (external service provider, consultant). For these users, it is possible to connect to Project Monitor by login and password with url, if local authentication is authorized at user level:

http://maplateforme/nex/login?local=true