Versions Compared

Old Version 8

changes.mady.by.user Ricky Villa

Saved on

compared with

New Version Current

changes.mady.by.user Giovanni Casagrande

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Typos

...

Drawio
zoom1
simple0
inComment0
custContentId4040818791
pageId4039507977
custContentId4040818791
lbox1
diagramDisplayNamefinOidc
contentVer1
revision1
baseUrlhttps://finproducts.atlassian.net/wiki
diagramNamefinOidc
pCenter0
width541
links
tbstyle
height374.55999999999995

...

Each time a user logs in via OpenID Connect, FIN receives a digitally signed user identity token. FIN cryptographically authenticates this token everytime every time a user logs in.

FIN uses the authorization code flow + PKCE (proof key for code exchange). By default, FIN requests the openid, profile and email scopes.

...

When configuring an IdP, a redirection URI back to FIN needs to be added. This is used after a user has successfully authentiated authenticated with the IdP. The format of the redirection is as follow:

...

Client id and secret

A unique client identifer identifier and secret is used by the authorization server.

...

Drawio
zoom1
simple0
inComment0
custContentId4039934115
pageId4039507977
custContentId4039934115
lbox1
diagramDisplayNamefinOidcExample1.drawio
contentVer4
revision4
baseUrlhttps://finproducts.atlassian.net/wiki
diagramNamefinOidcExample1.drawio
pCenter0
width566
links
tbstyle
height301

A user is going to log in as Fred. Once authentiatedauthenticated, a user needs to be mapped to a group in FIN as either an operator or engineer. In order for this mapping to happen, the group attribute needs to be set to groups. Therefore FIN will look at the authenticated user’s group attribute. This will be matched against the group’s oidcUserProtoAttrVal value.

...

Drawio
zoom1
simple0
inComment0
custContentId4056580145
pageId4039507977custContentId4056580145
lbox1
diagramDisplayNamefin2finSSO.drawio
contentVer2
revision2
baseUrlhttps://finproducts.atlassian.net/wiki
diagramNamefin2finSSO.drawio
pCenter0
width543
links
tbstyle
height401

...

  • HTTPS should be used for secure communication.

  • Host URI setting needs to be set on each FIN instance.

  • FIN B needs to use FIN A’s OIDC server details.

    • Go to FIN A and log in as a super user.

    • Click on Settings.

    • Scroll down to the OpenID Connect (SSO) section.

    • Click Yes for server enabled setting.

    • Click on OIDC Server Details.

    • Record the Discovery endpoint, client id and client secret information.

    • Navigate to FIN B and log in as a super user. Again navigate to the OpenID Connect (SSO) settings.

    • Enter the recorded information into the Discovery endpoint, client id and client secret settings and save.
      Navigating to FIN B should now redirect the user to FIN A to log in. After logging in, the user should be navigated back to FIN A.

    • Under Host go to Crypto. Add FIN A’s address (i.e. https://fina) as a trusted URI.

      • Although not ideal, FIN A is most likey likely using a self signed certificate hence we need to explicitly trust it.

...