0

Configure Remote IdPs

  • 11 mths ago

A LogicNets instance is configured to use only local accounts by default. However, you can also configure one or more external/remote IdPs for authentication. In this case, the LogicNets instance acts and an IdP client (relying party or RP). It is also possible to disable authentication with local user accounts when one or more remote IdPs are configured.

The remote IdP configuration is located in the instance configuration file (<logicnets-installation-path>/dat/settings.cfg) or in the company-specific configuration file (<logicnets-installation-path>/dat/bnt/<company>/settings.cfg). Per IdP, a set of configuration parameters is present in the _session.OAUTH.MODES section>.

Each IdP can be enabled and disabled in the _context.OAUTH_MODES section.

In this section you can also disable authentication using local user accounts (_local = 0). The follow parameters are available per remote IdP. An IdP-specific registration process needs to be followed (see your IdP for more details) before configuring the remote IdP. During this registration step, the client ID and secret are generated, the IdP client redirect URI must be registered, and the allowed scopes must be configured.

Parameter Type Description
openid_configuration_uri string OPTIONAL. OpenID Provider Information endpoint URL (including HTTP) to the openid-configuration (e.g. https://login.microsoftonline.com/common/.well-known/openid-configuration or https://logon.logicnets.com/logon/.well-known/openid-configuration). This URI is used to retrieve the information about the IdP endpoint. If left empty, the token signature cannot be verified and other endpoints, such as userinformation, token, authorize, must be configured manually.
client_id string REQUIRED. The client ID provided by the registration step at the remote IdP.
client_secret string REQUIRED. The client secret provided by the registration step at the remote IdP.
auth_uri string OPTIONAL. The IdP’s authorization endpoint URI. This URI is used to redirect the client’s browser to the remote IdP’s login page.

If left blank, the authorization_endpoint value received from the OpenID Provider Configuration information endpoint (configured in openid_configuration_uri) is used. However, it is recommended that you fill in the auth_uri to avoid additional cycles in retrieving data from the OpenID Provider Information endpoint.
auth_parameters string OPTIONAL. The value of this parameter is added to authorization endpoint URL before it is called. This parameter can be used to pass specific values (that differ per call) to the remote IdP authorization endpoint. This is used especially when the LogicNets authorization endpoint (IdP) is used as a proxy to other IdPs. In that use-case the some input parameters shall be passed to the next IdP in the chain.

Example:
login_hint=$(login_hint)&alert=$(alert)&max_age=$(max_age)&prompt=$(prompt) 

You can use the following $(..):
- $(login_hint): The login_hint query parameter value passed initially to the LogicNets authorization endpoint.
- $(prompt): The prompt query parameter value passed initially to the LogicNets authorization endpoint.
- $(max_age): The max_age query parameter value passed initially to the LogicNets authorization endpoint or the session-timeout value set by the LogicNets application to initiate the authentication.
$(alert): The alert query parameter value passed initially to the LogicNets authorization endpoint or the value set by the LogicNets application to initiate the authentication.
redirect_uri string DEPRECATED. Do not use.
scope string REQUIRED. This is the space-delimited list of scopes passed to the remote IdP authorization endpoint. The remote IdP will most probably return an error or no user information if left empty. The typical value is openid email profile offline_access. The offline_access scope is part of the list to allow to refresh access and ID tokens. Typically, no refresh token is required without this scope.
token_uri String OPTIONAL. This is the IdP’s token endpoint URI. This URI is used to retrieve the initial or refreshed access and ID tokens. If left blank, the system uses the token_endpoint value received from the OpenID Provider Configuration information endpoint (configured in openid_configuration_uri). However it is recommended that you fill in the token_uri to avoid additional cycles in retrieving data from the OpenID Provider Information endpoint.
user_uri string | collection of strings OPTIONAL. This is the IdP’s userinformation endpoint URI. This system uses this URI to retrieve  additional information about the authenticated user. Some IdPs do not deliver an ID token, in which case the system uses the userinformation endpoint URI to retrieve the basic user information, such as user’s email address.

Some IdPs deliver an access token that cannot be verified (signature, token-type). In that case, the system uses the userinformation endpoint to validate the access token.

You can configure multiple URIs. In that case, the system calls all URIs to collect all necessary information about the authenticated user. If left blank, the system uses the userinformation_endpoint value received from the OpenID Provider Configuration information endpoint (configured in openid_configuration_uri). However, it is recommended you fill in the user_uri to avoid additional cycles in retrieving data from the OpenID Provider Information endpoint.
token_introspect_uri string OPTIONAL. This is the IdP’s token introspect endpoint URI. LogicNets uses this URI (or URIs) to validate refresh, access, and ID tokens. If left blank, the system uses the introspect_endpoint value received from the OpenID Provider Configuration information endpoint (configured in openid_configuration_uri). However, it is recommended you fill in the token_introspect_uri to avoid additional cycles in retrieving data from the OpenID Provider Information endpoint.
caption string OPTIONAL. This is the human-readable name of the remote IdP. This parameter is currently not used but may be used in the future for display purposes.
order number OPTIONAL. This is the parameter used to sort the “Sign in with” buttons of the configured IdPs, which are visible on the authentication page.
style string OPTIONAL. This is a CSS-compatible style string that is used to style the “Sign in with” button visible on the authentication page. An example style for an Office365 sign-in button could be: “background: url(/lncore/images/ms-symbollockup_signin_light.png) no-repeat center;”.

LogicNets is shipped with the following images: ‘ad_signin.png’, ‘btn_google_signin_dark_normal_web.png’, ‘jira_idp_signin.png’, ‘linkedin-signin-button.png’, ‘ms-symbollockup_signin_light.png’, ‘logicnets_idp_signin.png’.
logout_uri string OPTIONAL. This is the IdP’s endsession endpoint URI. The system calls this URI in the browser when the user logs out.  The IdP endsession endpoint supports the ‘post_logout_redirect_uri’ parameter, since LogicNets uses that to return the user to the LogicNets application or login page. This parameter can be left empty when the user’s shall not be logged out at the IdP when the user logs out in LogicNets.
group_assignments collection OPTIONAL. This parameter can be used to assign group memberships dynamically based on the claims received from the IdP. Every element in the collection contains at least an action, group_name. The action can be ‘include’ or ‘exclude’; the group_name shall be the name of the user-group defined in the local LogicNets system.

You can query the ‘rule’ parameter the claims received from the external IdP. If the rule is left empty all users are included or excluded from the specified group.  Rule examples are:
- Match all users that have an @logicnets.com email address: strfind(jwt.email, "@logicnets%.com")
- Match all users that are member of ADFS group with a ID “S-1-5-21”:
?/jwt/groupsid[_.this ==’S-1-5-21’]  

Examples:
{  
   { action = "include", group_name = "admins", rule = "?/jwt/groupsid[_.this=='S-1']" },  
   { action = "include", group_name = "myusers", rule = "?/jwt/groupsid[_.this=='S-2']" },  
   { action = 'include', group_name = 'users' },  
   { action = 'include', group_name = 'admins', rule='strfind(user_email, "@logicnets%.com")'}
}  

You can use the oauth tester (started via 'https://<yourlogicnetshostname>/<yourcompanyname>/oauth-tester') to inspect the available claims. For example, the following ID token does have the group information in the groupsid claim.

attribute_mapping collection OPTIONAL. You can use this parameter to map (custom-)claims to standard OpenID claims or to LogicNets-specific claims. Every element in the collection contains a source and target parameter. The target parameter can have any value of the documented LogicNets-supported id token claims. The source parameter shall contain the data-field- source (“access_token”, “id_token”, “userinformation”) followed by a dot and the path to the data field in the data-field source (id_token, access_token or data-structure returned by the userinformation-endpoint).  

An example which used when with an Atlassian IdP:
{    
    {        
        source = "userinformation.displayName",
        target = "preferred_username"
    },    
    {        
        source = "userinformation.accountId",
        target = "sub"
     },    
    {        
        source = 'userinformation.emailAddress',
        target = "email"
    },
}  

You can use the oauth-tester (start via 'https://<yourlogicnetshostname>/<yourcompanyname>/oauth-tester')  to inspect the available claims. For example, the following access token has the user’s email address information in the email and preferred_username claims. So the source field in the attribute mapping would have the value 'id_token.email':

issuers Collection of strings OPTIONAL. The issuers list is used to match a received access token (as bearer token) with a configured remote IdP configuration. It is also used to look up the right configured remote IdP configuration if the iss query parameter is passed to the authorize endpoint.

The iss claim in the access-token is used for this matching.  

Some remote IdPs generate tokens with different iss claim values (typically the tenant-name or id is part of the iss claim value). Therefore, you can configure multiple issuer strings or use multiple wildcards (e.g. ‘{tenantid}’). The {..}-wildcard syntax is used because multiple well-known IdPs use this syntax in the issuer claim in the OpenID Provider Configuration information endpoint response.  

For example:
{    
    "https://login.microsoftonline.com/{tenantid}/v2.0",
    "https://sts.windows.net/{tenantid}/",
}
validate_signature number OPTIONAL. 0 | 1 (default)
0: The system does not validate the ID token signature. This is not recommended, as hackers use assembled tokens to get access.
1: The system validates the ID token signature and only uses the ID token when the signature is valid.
verify_hostname number OPTIONAL. 0 | 1 (default)
0: The system does not check the HTTPS certificate and hostname. This is not recommended, as your system can be attacked via a man-in-the-middle attack.
1: The system checks the HTTPS certificate and hostname.
user_email string DEPRECATED. Use attribute mapping instead.
user_id string DEPRECATED. Use attribute mapping instead.
user_name string DEPRECATED. Use attribute mapping instead.

Currently, there is no editor/UI available to support the remote IdP configuration via the browser.

External IdP Claim Mapping

When your use an external IdP the LogicNets runtime extracts the user profile information from the access token, ID token, and/or userinformation endpoint received from the external IdP. When both the ID and the access token are provided, the system uses the information from the access token first. When an userinformation endpoint is defined the claims received from this endpoint have priority.

The next table shows the claims used. It is also possible to override mapping using the attribute_mapping parameter in the IdP configuration.
 

LogicNets Claim External Claim
(When multiple claims are listed the system uses the first non-empty one.)
user_email email, preferred_username, upn, unique_name
guid sub
expires exp
auth_time auth_time
user_id preferred_username, upn, unique_name,email
display_name name, email, upn, unique_name
company company
last_name family_name
first_name given_name
middle_name middle_name
default_language locale
phone phone_number
picture picture

If the ID token contains an fhirUser claim (a URL that be used to retrieve FHIR-formatted user information) the system reads the user information from this endpoint. THe FHIR user-information format contain multiple different representations of the user infromation. The information is extracted from one representation using the following order (first one filled in used): usual, official, nickname, temp, anonymous, or <other>.

 

LogicNets Claim FHIR Claim
(When multiple claims are listed the system uses the first non-empty one.)
last_name family
first_name given (1st entry)
middle_name given (2nd entry)
display_name text
user_email first from value telecom where system is email (home email address is used first)
phone first from value telecom where system is phone (work and home phonenumbers are used first)
guid id
Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 11 mths agoLast active
  • 11Views
  • 1 Following

Home