Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            IAM - Identity Providers Google and Microsoft

            Modified on Mon, 3 Apr, 2023 at 10:27 AM

            In order for single sign-on (or SSO for short) to work seamlessly, identity providers need to integrate with the platform. IAM offers built-in options for connecting with external identity providers (IdPs) over OpenID Connect (OIDC) protocol. 


            Note: Labforward IAM is based on Keycloak and can support more options, incl. other SSO protocols. This documentation only includes tested and, therefore, officially supported options. Contact us if you would like to use another IP or protocol for identity federation.


            Using an external IdP, Labforward users can use their accounts with IdP without configuring a new password for their accounts. Also, with a single account, the users can access Laboperator, Workflow Editor, Labfolder, and Labregister.

            Before getting to the configuration on Labforward products, it is necessary to have the SSO configured on the Identity Provider side, such as Google, Microsoft, etc.


            TABLE OF CONTENTS



            External Identity Provider Configuration

            For external identity provider configuration, following their most updated tutorial is the preferred option.

            ProviderTutorial
            GoogleSet up SSO for your organization - Google Workspace Admin Help
            MicrosoftHow and why apps are added to Azure AD - Microsoft Entra
            App configuration reference: Understanding the Azure Active Directory app manifest - Microsoft Entra
            OpenID Connect protocol: OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft Entra



            Add an Identity Provider

            Check /admin/master/console/#/realms/labforward/identity-provider-settings to see and edit the IdP settings. You can add IdPs from the top-right menu and edit the existing IdPs by clicking on them.



            Set up Google

            The presets are being used for the Google IdP, so Google needs to be added via

            • Add Provider → Google

            The configuration is as follows.

            ConfigValue
            Client IDClient ID taken from Google client
            Client SecretClient Secret generated by Google client
            Default Scopesopenid profile email
            EnabledON
            Trust EmailON
            First Login Flowiam-first-broker-login
            Sync Modeimport


            Set up Google IdP Mappers

            The mappers for Google can be added via the Mappers tab. 3 mappers need to be defined.

            The Mappers are as follows.

            NameSync Mode OverrideMapper TypeSocial Profile JSON Field Path / User Session AttributeUser Attribute Name / User Session Attribute Value
            hdinheritAttribute Importerhdorganization
            is_idp_userinheritHardcoded User Session Attributeidp_usertrue
            is_idp_reauth_supportedinheritHardcoded User Session Attributeis_idp_reauth_supportedfalse



            Set up Microsoft 

            The presets are not used for the Microsoft IdP, due to the customizations made for re-authentication, Microsoft needs to be added via

            • Add Provider → Extended OpenID Connect v1.0


            ConfigValue
            Display NameMicrosoft
            EnabledON
            Trust EmailON
            First Login Flowiam-first-broker-login
            Sync Modeimport
            Authorization URLhttps://login.microsoftonline.com/common/oauth2/v2.0/authorize
            Token URLhttps://login.microsoftonline.com/common/oauth2/v2.0/token
            Disable User InfoON
            User Info URLhttps://graph.microsoft.com/oidc/userinfo
            Client IDClient ID taken from Microsoft client
            Client SecretClient Secret generated by Microsoft client
            Default Scopesopenid profile email
            Promptunspecified
            Validate SignaturesON
            Use JWKS URLON
            JWKS URLhttps://login.microsoftonline.com/common/discovery/v2.0/keys


            Set up Microsoft IdP Mappers

            NameSync Mode OverrideMapper TypeSocial Profile JSON Field Path / User Session AttributeUser Attribute Name / User Session Attribute Value
            is_idp_userinheritHardcoded User Session Attributeidp_usertrue
            is_idp_reauth_supportedinheritHardcoded User Session Attributeis_idp_reauth_supportedtrue



            Manage & Store IdP Tokens

            To manage/store the tokens issued by Google and Microsoft, refer to the specific article Receiving tokens from Upstream Identity Providers, please.


            Conclusion

            Once you set up the IdPs, the following options for SSO should be seen on the Login page.


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0