IAM - Identity Providers Google and Microsoft

Modified on Mon, 3 Apr, 2023 at 10:27 AM

In order for single sign-on (or SSO for short) to work seamlessly, identity providers need to integrate with the platform. IAM offers built-in options for connecting with external identity providers (IdPs) over OpenID Connect (OIDC) protocol. 


Note: Labforward IAM is based on Keycloak and can support more options, incl. other SSO protocols. This documentation only includes tested and, therefore, officially supported options. Contact us if you would like to use another IP or protocol for identity federation.


Using an external IdP, Labforward users can use their accounts with IdP without configuring a new password for their accounts. Also, with a single account, the users can access Laboperator, Workflow Editor, Labfolder, and Labregister.

Before getting to the configuration on Labforward products, it is necessary to have the SSO configured on the Identity Provider side, such as Google, Microsoft, etc.


TABLE OF CONTENTS



External Identity Provider Configuration

For external identity provider configuration, following their most updated tutorial is the preferred option.

ProviderTutorial
GoogleSet up SSO for your organization - Google Workspace Admin Help
MicrosoftHow and why apps are added to Azure AD - Microsoft Entra
App configuration reference: Understanding the Azure Active Directory app manifest - Microsoft Entra
OpenID Connect protocol: OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft Entra



Add an Identity Provider

Check /admin/master/console/#/realms/labforward/identity-provider-settings to see and edit the IdP settings. You can add IdPs from the top-right menu and edit the existing IdPs by clicking on them.



Set up Google

The presets are being used for the Google IdP, so Google needs to be added via

  • Add Provider → Google

The configuration is as follows.

ConfigValue
Client IDClient ID taken from Google client
Client SecretClient Secret generated by Google client
Default Scopesopenid profile email
EnabledON
Trust EmailON
First Login Flowiam-first-broker-login
Sync Modeimport


Set up Google IdP Mappers

The mappers for Google can be added via the Mappers tab. 3 mappers need to be defined.

The Mappers are as follows.

NameSync Mode OverrideMapper TypeSocial Profile JSON Field Path / User Session AttributeUser Attribute Name / User Session Attribute Value
hdinheritAttribute Importerhdorganization
is_idp_userinheritHardcoded User Session Attributeidp_usertrue
is_idp_reauth_supportedinheritHardcoded User Session Attributeis_idp_reauth_supportedfalse



Set up Microsoft 

The presets are not used for the Microsoft IdP, due to the customizations made for re-authentication, Microsoft needs to be added via

  • Add Provider → Extended OpenID Connect v1.0


ConfigValue
Display NameMicrosoft
EnabledON
Trust EmailON
First Login Flowiam-first-broker-login
Sync Modeimport
Authorization URLhttps://login.microsoftonline.com/common/oauth2/v2.0/authorize
Token URLhttps://login.microsoftonline.com/common/oauth2/v2.0/token
Disable User InfoON
User Info URLhttps://graph.microsoft.com/oidc/userinfo
Client IDClient ID taken from Microsoft client
Client SecretClient Secret generated by Microsoft client
Default Scopesopenid profile email
Promptunspecified
Validate SignaturesON
Use JWKS URLON
JWKS URLhttps://login.microsoftonline.com/common/discovery/v2.0/keys


Set up Microsoft IdP Mappers

NameSync Mode OverrideMapper TypeSocial Profile JSON Field Path / User Session AttributeUser Attribute Name / User Session Attribute Value
is_idp_userinheritHardcoded User Session Attributeidp_usertrue
is_idp_reauth_supportedinheritHardcoded User Session Attributeis_idp_reauth_supportedtrue



Manage & Store IdP Tokens

To manage/store the tokens issued by Google and Microsoft, refer to the specific article Receiving tokens from Upstream Identity Providers, please.


Conclusion

Once you set up the IdPs, the following options for SSO should be seen on the Login page.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article