OpenID Connect
Interface Feature Availability
Available in web interfaces Produce, Manage and Design only.
Overview
OpenID Connect (OIDC) is an identity layer that sits on top of OAuth 2.0. SmartIQ supports the use of OpenID Connect as a relying party (RP) using the following authentication flows:
- Authorization Code Flow (recommended)
- Implicit Flow
- Hybrid Flow
Setting the Response Type will determine which flow the software will take. The response types set in SmartIQ must also be supported by the identity provider. Check the identity provider documentation and associated metadata document to confirm.
| Flow | Response Type value |
|---|---|
| Authorization Code Flow | code |
| Implicit Flow | id_token |
| Implicit Flow | id_token token |
| Hybrid Flow | code id_token |
| Hybrid Flow | code token |
| Hybrid Flow | code id_token token |
Limitations
There is no support for OpenId Connect logout
Configuration
Multi-tenant cloud customers can configure OpenID Connect from with Manage. They cannot be set if SAML 2.0 is already enabled. Check the OpenID Connect checkbox to enable these settings for Produce and Manage.
For on-premise and hosted instances, OpenID Connect configuration options are set in the appsettings.json file for Produce and Manage.
"Authentication": {
"OpenIDConnect": {
"ClientId": "...",
"ClientSecret": "...",
"Authority": "...",
"MetadataAddress": "...",
"Scope": "...",
"ResponseType": "..."
}
}
Creation and Deletion of Users
If a user doesn't already exist in SmartIQand they attempt to login, a SmartIQ user account will be automatically created for that user on successful authentication.
Deletion of users should be done via the API.
Attributes
Attributes required will vary based on the flow type but are common across deployment types.
| Attribute | Description |
|---|---|
| ClientId | Required, Unique id that represents this application. |
| ClientSecret | Optional, shared secret to prove the request comes from right app |
| Authority | Required, URL to redirect to the identity provider. eg. Google https://accounts.google.com/, Azure https://login.microsoftonline.com/{tenant} Also known as the issuer depending on the identity provider. |
| MetadataAddress | Optional, URL to the configuration documentation. This configures the authentication. The web server must be able to request this URL. If empty the OpenId Connect standard of appending ".well-known/opened-configuration" to the "Authority" value is followed. |
| Scope | Optional, The types of claims to request from the IDP. By default only "openid" is requested. If this configuration has a value then the first value must be "openid". Other values are space delimited eg "openid profile email" |
| ResponseType | Required, set to the appropriate values to perform the flow required. |
Identity Provider Configuration
When configuring applications for SmartIQ within your chosen identity provider you will need the following information.
The Redirect Uri format for Manage and Produce is your SmartIQ domain appended with /manage/signin-oidc and /produce/signin-oidc E.g https://sample-tenant.ap21.smartcommunications.cloud/produce/signin-oidc
The most common error message from the identity provider will be a redirect_uri mismatch. This means the uri registered against the application in the identity provider doesn't match your domain or the format above.
OpenID Connect requires HTTPS to be enabled on the identity provider and SmartIQ when not using localhost.
The default claims that are supported are sub, name, email, given_name, family_name, phone_number. Others can be mapped in Manage > Settings > User Profile Mapping.
The claims must be returned within the id_token to be extracted and used for mapping.
Updated about 2 years ago