OpenID Connect
Deployment Feature Availability
Available in on-premise and private instance cloud deployments only.
Interface Feature Availability
Available in web interfaces Produce, Manage and Design only.
Overview
OpenID Connect (OIDC) is an authentication layer that sits on top of OAuth 2.0. SmartIQ supports the use of OpenID Connect Implicit Flow to handle authentication.
Configuration
OpenID Connect configuration options are set in the appsettings.json file.
"Authentication": {
"OpenIDConnect": {
"ClientId": "...",
"ClientSecret": "...",
"Authority": "...",
"MetadataAddress": "...",
"Scope", "...",
"ResponseType": "id_token"
}
}
Attributes
| Attribute | Description |
|---|---|
| ClientId | Required, Unique id that represents this application. |
| ClientSecret | Optional, shared secret to prove the request comes from right app. |
| Authority | Required, URL to redirect to the identity provider. eg. Google https://accounts.google.com/, Azure https://login.microsoftonline.com/{tenant} |
| MetadataAddress | Optional, URL to the configuration documentation. This configures the authentication. The web server must be able to request this URL. If empty the OpenId Connect standard of appending ".well-known/opened-configuration" to the "Authority" value is followed. |
| Scope | Optional, The types of claims to request from the IDP. By default only "openid" is requested. If this configuration has a value then the first value must be "openid". Other values are space delimited eg "openid profile email" |
| ResponseType | Required, The only supported response type is "id_token" |
IDP Setup
When configuring applications for SmartIQ within your chosen identity provider, you will need the Redirect Uri for Manage and Produce. The format is, your SmartIQ domain appended with the following:
For Manage:
/manage/
For Produce:
/produce/
The return URL is often validated against the URL that is entered in the IDP configuration. SmartIQ will set the return URL to the address the user browsed to the site on. Typically https://server/produce or http://server/manage.
Note
The return URL is often case sensitive and needs to match the exact case for the relevant pathway on your domain.
OpenID Connect typically requires HTTPS to be enabled on the IDP site and SmartIQ. Not having HTTPS enabled on SmartIQ can cause a redirect loop.
The default claims that are supported are sub, name, email, given_name, family_name, phone_number. Others can be mapped in Manage > Settings > User Profile Mapping.
The claims must be returned within the id_token to be extracted and used for mapping.
Note
AzureAD groups are not yet supported
Updated over 2 years ago