TABLE OF CONTENTS

• Introduction
• External Identity Provider Configuration
• Add an Identity Provider
• Set up Google
  • Sync Mode Options
  • Set up Google IdP Mappers
• Set up Microsoft
  • Sync Mode Options
  • Set up Microsoft IdP Mappers
• Look of IdP Google And Microsoft Activated

Introduction

IAM offers built-in options for connecting with external identity providers (IdPs) over OpenID Connect (OIDC) protocol.

Labforward IAM is based on Keycloak and can support more options, incl. other SSO protocols. This documentation only includes tested and, therefore, officially supported options. Contact us if you would like to use another IdP or protocol for identity federation.

Using an external IdP, Labforward users can use their accounts with IdP without configuring a new password for their accounts. Also, with a single account, the users are able to access Laboperator, Workflow Editor, Labfolder, and Labregister.

Before getting to the configuration on Labforward products, it is necessary to have the SSO configured on the Identity Provider side, such as Google, Microsoft, etc.

External Identity Provider Configuration

For that, following their most updated tutorial is the preferred option:

• Google - Set up SSO for your organization - Google Workspace Admin Help
• Microsoft

• How and why apps are added to Azure AD - Microsoft Entra
• App configuration reference: Understanding the Azure Active Directory app manifest - Microsoft Entra
• OpenID Connect protocol: OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft Entra

Add an Identity Provider

In the admin panel realm labforward, visit the menu “Identity providers” to see and edit the IdP settings. You can add IdPs from the top-right menu and edit the existing IdPs by clicking on them.

Set up Google

The presets are being used for Google IdP, so Google needs to be added via

• Add Provider → Google

The configuration is as follows:

Sync Mode Options

When Sync Mode is set to Import, the user data (first and last names and email) will be imported only once from the Identity Provider into IAM.

In case it’s desired that the IAM profile is always in sync with the remote Identity Provider, this should be set to Force.

Set up Google IdP Mappers

The mappers for Google can be added via the Mappers tab. 3 mappers need to be defined:

The mappers are as follows:

Set up Microsoft

The presets are not used for the Microsoft IdP, due to the customizations made for re-authentication, Microsoft needs to be added via

• Add Provider → Extended OpenID Connect v1.0

Sync Mode Options

When Sync Mode is set to Import, the user data (first and last names and email) will be imported only once from the Identity Provider into IAM.

In case it’s desired that the IAM profile is always in sync with the remote Identity Provider, this should be set to Force

Set up Microsoft IdP Mappers

Look of IdP Google And Microsoft Activated

Once you set up the IdPs, the following options for SSO should be seen on the Login page: