Configuring SSO authentication

Introduction to SSO authentication in ConSol CM

SSO is an authentication method which can be used to verify the identity of users in the Web Client and CM/Track. It is based on OpenID Connect and can be set up using Microsoft Active Directory Federation Services or Azure AD.

Concepts, terms and definitions

Concept	Other terms	Definition
SSO		Abbreviation of single sign-on. Authentication mechanism which allows users to access several applications after logging in once
OpenID Connect		Authentication mechanism based on the OpenID protocol, which allows clients to obtain information about authenticated user sessions

Basic tasks

Setting up SSO for the Web Client

The SSO configuration on the ConSol CM side is done using system properties from the module cmas-core-security. Set the following system properties in the Web Admin Suite, see System properties:

• oidc.web.enabled.default: Indicates whether user authentication using SSO via OIDC is enabled.

• oidc.web.authority.default: Indicates the URL of the authenticating authority, e.g. ADFS. Example: https://localhost/adfs

• oidc.web.clientId.default: Indicates the client ID (application ID) of the application, as registered in ADFS or Azure AD.

• oidc.web.clientSecret.default: Indicates the secret of the client, generated using ADFS or Azure AD.

• oidc.web.redirectUri.default: Indicates the redirect URI where authentication responses can be received. This is either the OIDC endpoint on the ConSol CM server or on the load balancer. Example: http://localhost/cm-client/oidc/

• oidc.web.usernameClaim.default: Indicates the name of the claim in the ID token which is used to map the user to a login in ConSol CM. The value depends on the ADFS settings; the default values are “upn” and “unique_name”.

• oidc.web.usernameRegexp.default: Defines the regular expression used for mapping the user name claim values to ConSol CM user names.

  • “upn” as claim: (.*)@.* will transform the claim value “user1@sso.yourdomain.com” to “user1” and look up “user1” in the ConSol CM database.

  • “unique_name” as claim: .*\\(.*) will transform the claim value “SSO\user1” to “user1” and look up “user1” in the ConSol CM database.

  The logins for the users are saved on the Users page of the Web Admin Suite.

Setting up SSO for CM/Track

The SSO configuration on the ConSol CM side is done using system properties from the module cmas-core-security.

If there are several instances of CM/Track, for example, one for internal customers and one for external customers, you can provide separate configurations for each instance. The mapping of the CM/Track instance to a configuration is done using the following property:

• domain.map.for.oidc.config.CONFIGURATION_NAME: Enables mapping multiple instances of CM/Track to a specific configuration. Replace “CONFIGURATION_NAME” with the name of the configuration (example: if your CM/Track configuration is called “trackV2customized”, the name of the property is domain.map.for.oidc.config.trackV2customized). You can provide several URLs separated by a comma.

The following system properties are used as a default configuration. You can copy them and replace “default” in the property name by the name of the instance to create a separate configuration for the instance. The default values are used whenever no configuration-specific property is set.

Set the following system properties in the Web Admin Suite, see System properties:

• oidc.track.enabled.default: Indicates whether user authentication using SSO via OIDC is enabled.

• oidc.track.authority.default: Indicates the URL of the authenticating authority, e.g. ADFS. Example: https://localhost/adfs

• oidc.track.clientId.default: Indicates the client ID (application ID) of the application, as registered in ADFS or Azure AD.

• oidc.track.clientSecret.default: Indicates the secret of the client, generated using ADFS or Azure AD.

• oidc.track.redirectUri.default: Indicates the redirect URI where authentication responses can be received. This is either the OIDC endpoint on the ConSol CM server running CM/Track or on the load balancer. Example: http://localhost/track/oidc/

• oidc.track.usernameClaim.default: Indicates the name of the claim in the ID token which is used to map the user to a contact in ConSol CM. The value depends on the ADFS settings; the default values are “upn” and “unique_name”.

• oidc.track.usernameRegexp.default: Defines the regular expression used for mapping the user name claim values to ConSol CM user names.

  • “upn” as claim: (.*)@.* will transform the claim value “user1@sso.yourdomain.com” to “user1” and look up “user1” in the ConSol CM database.

  • “unique_name” as claim: .*\\(.*) will transform the claim value “SSO\user1” to “user1” and look up “user1” in the ConSol CM database.

The logins for the contacts are saved in contact fields with the user name setting in the Web Client.