Configuring SSO authentication

Introduction to SSO authentication in ConSol CM

SSO is an authentication method which can be used to verify the identity of users in the Web Client and CM/Track. It is based on OpenID Connect and can be set up using Microsoft Active Directory Federation Services or Azure AD.

Concepts, terms and definitions

Concept	Other terms	Definition
SSO		Abbreviation of single sign-on. Authentication mechanism which allows users to access several applications after logging in once
OpenID Connect		Authentication mechanism based on the OpenID protocol, which allows clients to obtain information about authenticated user sessions

Purpose and usage

You need to set up OIDC in the following situations:

• Using an external SSO provider, e.g. ADFS or Azure AD for login to the Web Client or CM/Track V2 and V3.

• Using CM/Track V3, both with database or LDAP authentication and with an external SSO provider

  The default configuration for OIDC with database or LDAP authentication is created automatically.

Basic tasks

Setting up OIDC

The OIDC configuration on the ConSol CM side is done using system properties from the module cmas-core-security. Set the following system properties:

• oidc.<CLIENT>.enabled.default: Indicates whether user authentication using SSO via OIDC is enabled.

• oidc.<CLIENT>.authority.default: Indicates the URL of the authenticating authority, e.g. ADFS. Example: https://localhost/adfs

• oidc.<CLIENT>.clientId.default: Indicates the client ID (application ID) of the application, as registered in ADFS or Azure AD.

• oidc.<CLIENT>.clientSecret.default: Indicates the secret of the client, generated using ADFS or Azure AD.

• oidc.<CLIENT>.globalLogout.default: Only relevant for CM/Track V3. Determines if the user is also logged out from the OIDC provider when logging out of CM/Track. For an internal provider, it should be set to “true”. For an external provider, the value is usually “false”, so that sessions in other applications, which are provided by the same provider, are not closed.

• oidc.<CLIENT>.providerType.default: Only relevant for CM/Track V3. Should be “internal” to use the ConSol CM authentication application as OIDC provider, and “external” if a third-party application, such as Azure AD or ADFS should be used.

• oidc.<CLIENT>.redirectUri.default: Indicates the redirect URI where authentication responses can be received. This is either the OIDC endpoint on the ConSol CM server running CM/Track or on the load balancer. Example: http://localhost/track/oidc/ or http://localhost/cm-client/oidc/

• oidc.<CLIENT>.usernameClaim.default: Indicates the name of the claim in the ID token which is used to map the user to a contact in ConSol CM. The value depends on the ADFS settings; the default values are “upn” and “unique_name”.

• oidc.<CLIENT>.usernameRegexp.default: Defines the regular expression used for mapping the user name claim values to ConSol CM user names.

  • “upn” as claim: (.*)@.* will transform the claim value “user1@sso.yourdomain.com” to “user1” and look up “user1” in the ConSol CM database.

  • “unique_name” as claim: .*\\(.*) will transform the claim value “SSO\user1” to “user1” and look up “user1” in the ConSol CM database.

Replace <CLIENT> by the application:

• Web Client: web

• CM/Track V2: track

• CM/Track V3: track3

Advanced tasks

Using several URLs for CM/Track

If CM/Track is accessed via more than one URL, you need to create additional OIDC configurations. This is the case for example in the following situations:

• There are two different instances of CM/Track for different groups of end users.

• One instance of CM/Track is accessed via two different URLs, e.g. an internal one and an external one.

For each URL used to access CM/Track, one OIDC configuration is needed. It must be created manually on the System properties page. The following changes are needed:

1. Add all the URLs which should use the portal configuration as a comma-separated list to the system property cmas-restapi-core, domain.map.for.client.config.<portal_configuration>, e.g. domain.map.for.client.config.MYPORTAL=http://cm.consol.pl:8999/cm-track, http://cm.consol.pl/cm-track.

2. Create an OIDC configuration for each URL. It needs to contain at least the following properties:

   • Create cmas-core-security, domain.map.for.oidc.config.<oidc_configuration> and set the URL through which CM/Track is reached as a value, e.g. domain.map.for.oidc.config.MYTRACK1=http://cm.consol.pl:8999/cm-track.

   • Create cmas-core-security, oidc.track3.redirectUri.<oidc_configuration> and set the /oidc endpoint of the CM/Track instance as a value, e.g. oidc.track3.redirectUri.MYTRACK1=http://cm.consol.pl:8999/cm-track/oidc/.

   • Create cmas-core-security, oidc.track3.authority.<oidc_configuration> and set the /cmas-auth-portal-user endpoint of the authentication application as a value, e.g. oidc.track3.authority.MYTRACK1=http://cm.consol.pl:8999/cmas-auth-portal-user.

3. Review the default OIDC configuration, see Configuring SSO authentication. If different values are needed, create configuration-specific properties to overwrite the defaults, e.g. oidc.track3.authority.MYTRACK1.