Single Sign On (SSO)
P6 Auth uses SSO Connections to define provider specific configuration for authentication and user provisioning.
One or more SSO Connections may be created for a single Platform 6 Instance. Each SSO Connection has a name and SSO Connections are always listed in name order.
Authentication¶
An important attribute of an SSO Connection is the Login Context (URL). This URL allows the Platform 6 Portal Login page to identify which SSO connect using... buttons to display to the user.
For example, if my organisation is allocated a custom login context of: https://mybiz.portal.amalto.com then this URL will be used to find all SSO Connections defined with this as the Login Context.
The SSO Connections found will be used to display the SSO connection button(s) on the login page.
By default, the display of SSO connection buttons will disable the display of the standard Amalto username/password login fields.
Note
This behaviour can be overridden using the json attribute allowSSOAndBaseLogin: true for the defined client section in the portal_config.json file.
Each SSO Connection has a Connection Type attribute which may be set to either:
- OIDC (Open ID Connect): https://openid.net/connect/
or
- SAML (Security Assertion Markup Language): https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Currently only OIDC is supported.
The SSO Connection details form is available from a tab of the Administration menu in the Platform 6 Portal:
A user requires the following permissions to use the SSO Connections configuration:
-
sso=read (to list and review the SSO Connections)
-
sso=edit (to add and update SSO Connections)
-
sso=delete (to remove an SSO Connection)
Disabled SSO Connection¶
If an SSO Connection is not enabled (disabled) it will still be shown on the associated login page but will not be selectable:
OIDC Connection Type Properties¶
OIDC property values will vary depending upon the authentication provider being used. It is essential these values match those defined by your provider.
Note
A good tool to validate low level OIDC configuration is: https://oidcdebugger.com/
| Property Name | Description |
|---|---|
| oidc.provider.url | Mandatory. The root context used to discover all other OIDC configuration. We wil append /.well-known/openid-configuration to this URL to request provider configuration. |
| oidc.client.id | Mandatory. Provider allocated. It is typically a UUID |
| oidc.authorize.request.scopes | Mandatory. Space separated OIDC defined values, typically openid or openid email |
| oidc.provider.tls.trustany | Optional. Set to true to disable TLS/SSL certificate validation on provider endpoints |
| oidc.client.secret | Optional. Provider allocated. Not always required but must match provider configured value |
| oidc.token.signature | Optional. Signature type used to sign OIDC id_token. One of: NONE, RS256, HMAC (default: RS256) |
| oidc.email.claim | Optional. Claim set attribute to inspect for email address to use for auto provisioning, if the email claim set attribute is not found. |
| oidc.claim.string.match | Optional. A string claim set attribute that must be present and who’s value must match the given value otherwise authentication will be denied. (format: key=value) |
| oidc.claim.stringlist.match | Optional. A string list claim set attribute that must be present and contain all the values given. (format key=value,value,…) |
| oidc.discovery | Optional. Does the OIDC Identity Provider support endpoint discovery? (default: true) |
| oidc.flow.implicit | Optional. The authorization server will return an ID token directly back to the client? (default: true) |
| oidc.authorization.endpoint | Optional. Authorization endpoint if oidc.discovery is not supported. |
| oidc.response.type | Optional. The response type to request from the Authorization endpoint. One or more of id_token code token (default: id_token) |
| oidc.token.endpoint | Optional. An endpoint to use to exchange a code for an access_token. Only required if oidc.flow.implicit=false and oidc.response.type=code. |
| oidc.userinfo.endpoint | Optional. When using a code or hybrid flow, a user information endpoint is required to collect email and user names |
| oidc.end.session.with.hint | Optional. Used with Microsoft AD FS to enable the passing of the OIDC id_token as parameter id_token_hint to the end session endpoint. Set as : true |
| oidc.ui.redirect.uri | Optional. An additional redirection made by the ui after processing the id_token or code in the OIDC flow. (default: none) |
| oidc.response.mode | Optional. An override for the response_mode requested of the Authorization endpoint. One of fragment, query or form_post. (default: ‘’) |
| p6mc.auto.provision.account | Internal use only |
| p6mc.auto.provision.baseContext | Internal use only |
| p6mc.auto.provision.infoPath | Internal use only |
Provider Configuration¶
In addition to the above, the provider requires the prior registration of the following:
- Redirect URI: This value should be set to the
Login Context (URL)specified on the SSO Connection
Claims Matching¶
It is possible to use the optional claims match properties to restrict access to only a subset of SSO users. Claims matching is a mechanism whereby P6 Auth will check an SSO users claim set when they attempt a login. If the specified (String or StringList) claim set values do not match the configured and expected values, authenticated access is denied.
Some OIDC providers allow the administrator to add custom claims to a user. This will vary depending upon provider. However, consider the example of adding a users department name to their claim set and only allowing users from that department access to Platform 6. By adding the following property this could be achieved:
- oidc.claim.string.match: dept=procurement
Another example when using Microsoft Azure as your provider is to enable group membership claims. To activate this you need to add the following to the application manifest of the Platform 6 App definition using the Azure portal:
"groupMembershipClaims": "SecurityGroup",
Next you need to identify the OID of the group you wish to restrict access by. As an example, consider we created an Azure User Group called platform6 and an OID of: ec6d1489-b580-4078-a536-89d1e63126ad
Adding the following claims match property will restrict access to only those users in the platform6 group:
- oidc.claim.stringlist.match: groups=ec6d1489-b580-4078-a536-89d1e63126ad
Auto Provisioning¶
If selected, Auto-provision will automatically add a P6 User if one does not exist when an SSO user first logs in. It will use an email address identified in the claim set as the P6 User email.
If a new user is created, they will be assigned the permissions and initial organizational tree position specified on the SSO Connection.
Note
When possible the firstname and lastname of an SSO user are also collected and used in user profile creation.
P6 User Email Identification Using Claim Set
A users email is determined by examining the claim set provided by the SSO provider. The email is generally available in the claim set if the property oidc.authorize.request.scopes contains email
However this is not always the case and you may need to specify an alternative claim set attribute to use if the email claim is missing or empty.
The following property is used to specify the claim set attribute to use in this case:
oidc.email.claim
Note
This value should be set to upn when interacting with Azure Active Directory users
SSO Provisioned User Indicators¶
When listing users using the Administration menu, P6 users that have been created as the result of SSO provisioning will appear visually different to other users as they will be displayed with the SSO ‘badge’.
Provider Integrated User Provisioning¶
Warning
Provider integrated user provisioning is not supported in the current version of Platform 6