1. Preamble
OpenIDConnect is a simple identification layer based on OAuth2.0 (itself an identification device).
Note 1
Data expected by Virage Group :
- Customer identification (clientId)
- Redirect URL
Data provided by Virage Group :
- Callback URL
Note 2
In version 6.5.2, automatic account provisioning from the identity provider is not available. It will be available in version 6.5.3.
On the other hand, the correspondence between the identifier in Project Monitor and in the identity provider must be identical (see end of document). This may require the reworking of data on the implementations
Project Monitor existing.
Note 3
The module OIDC
must be fully deployed on the application server. The installation procedure is described in the Operating Manual.
2. Configuration with KeyCloak
- In the
monitormaker.properties
 Configure authentication strategy :OpenIdConnectAuthenticator
com.vc.mm.authenticator= com.vc.mm.modules.user.OpenIdConnectAuthenticator
Log in to the Project Monitor
- Click on
Administration >
Advanced settings
>Technical configuration
>OpenIdConnect authentication.
- Copy property value to clipboard
Return URL - Callback
Log in to the Keycloak administration interface
- Create a new OpenIDConnect client, specific to the application
Project Monitor
- Enter an identifier for this new client. The openid-connect protocol must be selected:
In the configuration screen of the newly created client :
- Select choice
public
for the propertyÂAccess Type
. - Enhancing the value of property
Valid Redirect URIs
with the value extracted fromProject Monitor (Return URL - callback)
- Save the information you have entered
- Go to screen
Realm Settings
- Copy link URL to clipboard
Open ID Endpoint Configuration
 :
Go to the OpenIdConnect configuration screen in Project Monitor :
- Enter in the fieldÂ
Customer ID
the name of the customer newly declared in the previous step. - Paste into fieldÂ
Metadata URL
 the URL copied in the previous step - Click on
Register
.
Mapping between users defined in Project Monitor and in Keycloak :
For identification to work, it is necessary to ensure that the identifier defined in Project Monitor and Keycloak is identical.
The user ID is available in the user details screen under Keycloak :
This identifier corresponds to the sub
contained in the OpenIDConnect token
3. Configuration with AzureAD
Log in to the Project Monitor
- Click on
Administration >
Advanced settings
>Technical configuration
>OpenIdConnect authentication.
- Copy property value to clipboardÂ
Return URL - Callback
Log in to the AzureAD administration interface:
- Register a new application.
- Paste the callback url here:
- In the application details screen, click on the
Termination points
- Copy url
Open ID Connect metadata Document
- Also copy the value of
Application ID (customer)
Go to the OpenIdConnect configuration screen in Project Monitor :
- Enter in the field "Â
Customer ID
 "the name of the customer newly declared in the previous step - Paste into fieldÂ
Metadata URL
 the URL copied in the previous step. - Save changes.
Log in to the AzureAD administration interface:
- Create a secret (Secret is mandatory in Azure AD).
- Copy the secret value to the clipboard and transfer it to the
Project Monitor
4. Test configuration
- Create your users in
Project Monitor if you haven't already
- Create your users in your IDP if you haven't already done so
- Connect to the application to validate the configuration
5. Automatic account creation
With the OpenIDConnect feature, a user's account can be automatically created on first login.
The following information is stored during creation:
- Identifier
- Name
- First name
To activate this option, the Automatically create missing user accounts at login
 must be checked:
At the time of creation, the user has no rights or role on the application. It is up to the functional administrator to associate the user's roles afterwards.
6. Modification of login ID (Keycloak only)
By default, the user ID in Project Monitor is the same as that of the identity repository.
This is the sub
.
Although not recommended by the OpenIDConnect protocol, it is possible to change the identifier to something more explicit, such as the user's email address.
7. Login without OpenIdConnect
Some users of Project Monitor are unknown to the IDP (external service provider, consultant). For these users, it is possible to connect to
Project Monitor by login and password with url, if local authentication is authorized at user level:
http://maplateforme/nex/login?local=true