OpenID Connect
To configure the Valsight application to use the OpenID Connect SSO, edit conf/config.yml and restart the server after making changes.
To enable OpenID Connect login configure the following value:
Configuration Key (loginMethodConfigurations → openIdConnect →) | Description | Example Value | Default Value |
|---|---|---|---|
enabled | Whether OpenID Connect authentication should be used or not | true | false |
To configure an OpenID Connect client enter the following configuration keys:
spring:
security:
oauth2:
client:
registration:
openIdConnect:
.....Then configure the OpenID Connection client values as follows:
Configuration Key (….registration.openIdConnect →) | Description | Example Value | Default Value |
|---|---|---|---|
client-id | OAuth 2.0 Client Identifier valid at the Authorization Server | jmxDcfi1gEffVMktJ | n/a |
client-authentication-method | The type of client authentication to perform with the Authorization Server. the currently supported forms of authentication are:
Note: if using ‘client_secret_basic’ then a ‘client-secret’ must be provided, while when using ‘private_key_jwt' then a 'privateRSAKeyPath’ must be provided. For further information about ‘private_key_jwt’ client authentication see https://docs.valsight.com/on-premise/latest/oauth-2-0-with-private-key-jwt-client-authenticait | client_secret_basic | client_secret_basic |
client-secret | Client Secret token, provided by the Authorization Server Note: Since 6.3.0 this value is no longer mandatory if not using the 'client_secret_basic' as the client authentication mode | aZWAuRZUSxT-Sh8-xDLdHI | n/a |
scope | List of comma separated scopes if we want fetch additional claims. | openid, email,profile | n/a |
provider | The name of an OpenID connect provider to use (see below). If there is no provider with the registration id “openIdConnect” a value must be specified. | openIdConnect | n/a |
valsightOpenIdConnectProperties → userProfileMapping →username | The claim used to uniquely identify an user. It must always be present in the provider's response and unique per user. Note: claim names are case sensitve, ensure that the configured string matches the IdP claim name exactly. | preferred_username | sub |
valsightOpenIdConnectProperties → userProfileMapping → email | The claim that contains the user's e-mail address. Note: claim names are case sensitve, ensure that the configured string matches the IdP claim name exactly. *Optional | n/a | |
valsightOpenIdConnectProperties → userProfileMapping → fullName | The claim that contains the user's full name. Note: claim names are case sensitve, ensure that the configured string matches the IdP claim name exactly. *Optional | name | n/a |
valsightOpenIdConnectProperties → loginSuccessfulUrl | The absolute URL (starting with http(s)) of the application's main page. The user will be redirected there after a successful login. | n/a | |
valsightOpenIdConnectProperties → forceGroupsOverage | Forces the application to always use the 'https://graph.microsoft.com/v1.0' API to fetch the user's groups. It has no effect if 'groupsClaim' is not enabled. *Optional | true | false |
valsightOpenIdConnectProperties → acr_values | Allows to pass additional authentication related information to the user service. *Optional | myvalue1:myvalue2:myvalue3:myvalue4 | n/a |
valsightOpenIdConnectProperties →mandatoryClaims → claim → claimValue | This is used to customize the requested presence and values of claims beyond the ones requested by the OpenID Connect specification. Each claim configured here must be present in the provider's response and also have the specified value. If claim has multiple values in the response (e. g. a list of groups the users belongs to) then one of the values in the response must be an exact match to the configured value. Note: claim names are case sensitve, ensure that the configured strings for ‘claim’ values matches the IdP claim name exactly. *Optional | Example Configuration
CODE
| n/a |
valsightOpenIdConnectProperties → groupsClaim | This configuration option enables OpenID Connect to determine which groups users belong to. If this field is not present or if it is empty, the groups must be managed internally in the application. If we set a value of 'groupsClaim' we turn this functionality on. The value of 'groupsClaim' should be a claim name that contains the by OpenID Connect provided groups. The group matching happens as follows:
Important: this functionality never automatically deletes groups in the application Note: claim names are case sensitve, ensure that the configured string matches the IdP claim name exactly. *Optional | groupsInOpenIDConnectResponse | n/a |
valsightOpenIdConnectProperties → requiredGroupNamePrefix | REMOVED This field determines if group names must have a specified prefix to be recognised by the application. If this value is set then any group names within the OpenID Connect response that do not start with value will be treated as if they were not present in the response. Note: If a value for loginMethodConfigurations → commonSSOOptions → mandatoryGroupName has been set then the mandatory group name must have the required prefix value. See https://valsight.atlassian.net/wiki/spaces/RND/pages/4988010533 for further details on this setting. *Optional *Available since 5.9.1 *Removed and replaced by ‘loginMethodConfigurations → commonSSOOptions → requiredGroupNamePrefixes’ in version 6.0.0 for details see: https://valsight.atlassian.net/wiki/spaces/RND/pages/4988010533 | AcceptedGroup_ | n/a |
valsightOpenIdConnectProperties → userInfoEndpointScopes | Allows for the configuration of a list of scopes that are accessible only from the user info endpoint, not from the token. If you never want the user info endpoint to be invoked populate this list with none of the scopes listed in the ‘scope’ configuration key (see above). Setting this key to an empty list means the user info endpoint will always be invoked. *Available since 6.0.26 | Example Configuration
CODE
| profile, email, address, phone |
To configure an OpenID Connect provider enter the following configuration keys:
spring:
security:
oauth2:
client:
provider:
openIdConnect:
.....Then configure the OpenID Connection provider values as follows:
Configuration Key (….provider.openIdConnect →) | Description | Example Value | Default Value |
|---|---|---|---|
issuer-uri | Identifier for the Issuer of the authorization response. | n/a | |
authorization-uri | The Authorization endpoint of the OpenID Connect flow | n/a | |
token-uri | The Token endpoint of the OpenID Connect flow | n/a | |
jwk-set-uri | The endpoint that contains certificates to verify the token | n/a |
Full example YAML configuration
Below is an example of all the available configuration keys for OpenID connect, with no values supplied except where stated:
spring:
security:
oauth2:
client:
registration:
openIdConnect:
client-id:
client-secret:
scope:
valsightOpenIdConnectProperties:
userProfileMapping:
username:
email:
fullName:
forceGroupOverage:
loginSuccessfulUrl:
mandatoryClaims:
#example value
group: groupName
acr_values:
groupsClaim:
requiredGroupNamePrefix:
userInfoEndpointScopes:
provider:
openIdConnect:
issuer-uri:
authorization-uri:
token-uri:
jwk-set-uri: Logging
For logging purpose, add in the log level view (Configuration UI), the following package:
org.springframework.securityorg.springframework.security.oauth2com.valsight.authentication.oauthcom.valsight.services.authentication.SSOServicecom.valsight.authenticationorg.springframework.web.client
Set the log level to DEBUG
Redirect/callback URL
When configuring the IdP the redirect/callback URL for the application is:
<server_url>/<contextPath>/login/oauth2/code/openIdConnect
Reverse Proxy Configuration
If the application is running behind a reverse proxy it will be required to configure the reverse proxy such that the OpenID connect authentication flow can be performed A guide to doing this can be found here: Reverse Proxy