HomeGuidesRecipesAPI
HomeGuidesAPILog In

OpenID Connect

📘

Interface Feature Availability

Available in web interfaces Produce, Manage and Design only.

Overview

OpenID Connect (OIDC) is an identity layer that sits on top of OAuth 2.0. SmartIQ supports the use of OpenID Connect as a relying party (RP) using the following authentication flows:

  • Authorization Code Flow (recommended)
  • Implicit Flow
  • Hybrid Flow

Setting the Response Type will determine which flow the software will take. The response types set in SmartIQ must also be supported by the identity provider. Check the identity provider documentation and associated metadata document to confirm.

Flow

Response Type value

Authorization Code Flow

code

Implicit Flow

  • id_token
  • id_token token

Hybrid Flow

  • code id_token
  • code token
  • code id_token token

📘

OpenId Connect Logout Support

OpenID only supports logout if the IDP metadata has an end_session_endpoint value. The login also needs to return an id_token value for the Log Out link to appear. This is required for the IDP to know what session is being logged out of.

Configuration

Multi-tenant cloud customers can configure OpenID Connect from Manage. They cannot be set if SAML 2.0 is already enabled. Check the OpenID Connect checkbox to enable these settings for Produce and Manage.

766766

For on-premise and hosted instances, OpenID Connect configuration options are set in the appsettings.json file for Produce and Manage.

"Authentication": {
  "OpenIDConnect": {
    "ClientId": "...",
    "ClientSecret": "...",
    "Authority": "...",
    "MetadataAddress": "...",
    "Scope": "...",
    "ResponseType": "...",
    "PostLogoutUrl": "..."
  }
}

Attributes

Attributes required will vary based on the flow type but are common across deployment types.

Attribute

Description

ClientId (Required)

Unique id that represents this application.

ClientSecret

Shared secret to prove the request comes from right app.

Authority (Required)

URL to redirect to the identity provider. For example, Google https://accounts.google.com/, Azure https://login.microsoftonline.com/{tenant}

Also known as the issuer depending on the identity provider.

MetadataAddress

URL to the configuration documentation. This configures the authentication. The web server must be able to request this URL. If empty, will follow the OpenId Connect standard of appending ".well-known/opened-configuration" to the "Authority" value.

Scope

The types of claims to request from the IDP. By default only "openid" is requested. If this configuration has a value, then the first value must be "openid". Other values are space delimited. For example, "openid profile email"

ResponseType (Required)

Set to the appropriate values to perform the flow required.

PostLogoutUrl

Redirect the browser to this URL when the user logs out of Produce. This can be a company website or some other portal.

If no value is entered, Produce will redirect to /Account/LoggedOff. Manage will not use this setting and will always go to /Account/LoggedOff.

Identity Provider Configuration

When configuring applications for SmartIQ within your chosen identity provider, you will need the Redirect Uri for Manage and Produce. The format is, your SmartIQ domain appended with the following:

  • Manage
    • /manage/signin-oidc
    • /manage/signout-callback-oidc
  • Produce
    • /produce/signin-oidc
    • /produce/signout-callback-oidc

For example, https://sample-tenant.ab12.smartcommunications.cloud/produce/signin-oidc and https://sample-tenant.ab12.smartcommunications.cloud/produce/signout-callback-oidc .

Also consider the following:

  • The most common error message from the identity provider will be a redirect_uri mismatch. This means the uri registered against the application in the identity provider doesn't match your domain or the format above.
  • OpenID Connect requires HTTPS to be enabled on the identity provider and SmartIQ when not using localhost.
  • The default claims that are supported are sub, name, email, given_name, family_name, phone_number. Others can be mapped in Manage > Settings > User Profile Mapping.
    The claims must be returned within the id_token to be extracted and used for mapping.