Logo
  • Other versions
  • Virage Group
  • Espace Magenta
  • Support ticket
  • Strat Monitor documentation
Project Monitor v7.7 Knowledge Center
Project Monitor v7.7 Knowledge Center
/Technical memos
Technical memos
/OpenIDConnect Authentication Memo
OpenIDConnect Authentication Memo
OpenIDConnect Authentication Memo

OpenIDConnect Authentication Memo

‣
Table of contents
‣
history modifications

1. Preamble

OpenIDConnect is a simple identification layer based on OAuth2.0 (itself an identification device).

🚦
You need an Identity Provider. In the rest of this document, IDP refers to your Identity Provider (e.g. Azure AD / Keycloak).

Note 1

Data expected by Virage GroupVirage Group :

  • Customer identification (clientId)
  • Redirect URL

Data provided by Virage GroupVirage Group :

  • Callback URL

Note 2

The correspondence between the identifier in Project MonitorProject Monitor and in the identity provider must be identical (see end of document). This may require the reworking of data on the implementations Project MonitorProject Monitor existing.

Note 3

The module OIDC must be fully deployed on the application server. The installation procedure is described in the Operating Manual.

2. Configuration with KeyCloak

  • In the monitormaker.properties Configure authentication strategy : OpenIdConnectAuthenticator
    • com.vc.mm.authenticator= com.vc.mm.modules.user.OpenIdConnectAuthenticator
    đźš©
    See the Operating folder for more information on available authentication strategies.

Log in to the Project MonitorProject Monitor

  1. Click on AdministrationAdministration > Advanced settings > Technical configuration >OpenIdConnect authenticationOpenIdConnect authentication.
  1. Copy property value to clipboard Return URL - Callback
image

Log in to the Keycloak administration interface

  1. Create a new OpenIDConnect client, specific to the application Project MonitorProject Monitor
image
  1. Enter an identifier for this new client. The openid-connect protocol must be selected:
image

In the configuration screen of the newly created client :

  1. Select choice public for the property Access Type.
  2. Enhancing the value of property Valid Redirect URIs with the value extracted from Project MonitorProject Monitor (Return URL - callback)
  3. Save the information you have entered
image
  1. Go to screen Realm Settings
  2. Copy link URL to clipboard Open ID Endpoint Configuration :
image

Go to the OpenIdConnect configuration screen in Project MonitorProject Monitor :

  1. Enter in the field Customer ID the name of the customer newly declared in the previous step.
  2. Paste into field Metadata URL the URL copied in the previous step
  3. Click on Register.
image

Mapping between users defined in Project MonitorProject Monitor and in Keycloak :

For identification to work, it is necessary to ensure that the identifier defined in Project MonitorProject Monitor and Keycloak is identical.

The user ID is available in the user details screen under Keycloak :

This identifier corresponds to the sub contained in the OpenIDConnect token

image

3. Configuration with AzureAD

Log in to the Project MonitorProject Monitor

  1. Click on AdministrationAdministration > Advanced settings > Technical configuration >OpenIdConnect authenticationOpenIdConnect authentication.
  1. Copy property value to clipboard Return URL - Callback
image

Log in to the AzureAD administration interface:

  1. Register a new application.
image
  1. Paste the callback url here:
image
  1. In the application details screen, click on the Termination points
  2. Copy url Open ID Connect metadata Document
  3. Also copy the value of Application ID (customer)
image

Go to the OpenIdConnect configuration screen in Project MonitorProject Monitor :

  1. Enter in the field " Customer ID "the name of the customer newly declared in the previous step
  2. Paste into field Metadata URL the URL copied in the previous step.
  3. Save changes.
image

Log in to the AzureAD administration interface:

  1. Create a secret (Secret is mandatory in Azure AD).
  2. Copy the secret value to the clipboard and transfer it to the Project MonitorProject Monitor
image

4. Test configuration

  • Create your users in Project MonitorProject Monitor if you haven't already
  • Create your users in your IDP if you haven't already done so
  • Connect to the application to validate the configuration

5. Automatic account creation

With the OpenIDConnect feature, a user's account can be automatically created on first login.

The following information is stored during creation:

  • Identifier
  • Name
  • First name
  • Email

To activate this option, the Automatically create missing user accounts at login must be checked:

At the time of creation, the user has no rights or role on the application. It is up to the functional administrator to associate the user's roles afterwards.

image

6. Modification of login ID (Keycloak only)

By default, the user ID in Project MonitorProject Monitor is the same as that of the identity repository.

This is the sub.

Although not recommended by the OpenIDConnect protocol, it is possible to change the identifier to something more explicit, such as the user's email address.

Configuration example
Configuration example

7. Login without OpenIdConnect

Some users of Project MonitorProject Monitor are unknown to the IDP (external service provider, consultant). For these users, it is possible to connect to Project MonitorProject Monitor by login and password with url, if local authentication is authorized at user level:

http://maplateforme/nex/login?local=true
Logo

Produced by Virage Group