...
Drawio | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Each time a user logs in via OpenID Connect, FIN receives a digitally signed user identity token. FIN cryptographically authenticates this token everytime every time a user logs in.
FIN uses the authorization code flow + PKCE (proof key for code exchange). By default, FIN requests the openid, profile and email scopes.
...
When configuring an IdP, a redirection URI back to FIN needs to be added. This is used after a user has successfully authentiated authenticated with the IdP. The format of the redirection is as follow:
...
Client id and secret
A unique client identifer identifier and secret is used by the authorization server.
...
Drawio | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
A user is going to log in as Fred. Once authentiatedauthenticated, a user needs to be mapped to a group in FIN as either an operator or engineer. In order for this mapping to happen, the group attribute needs to be set to groups. Therefore FIN will look at the authenticated user’s group attribute. This will be matched against the group’s oidcUserProtoAttrVal value.
...
Drawio | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
HTTPS should be used for secure communication.
Host URI setting needs to be set on each FIN instance.
FIN B needs to use FIN A’s OIDC server details.
Go to FIN A and log in as a super user.
Click on Settings.
Scroll down to the OpenID Connect (SSO) section.
Click Yes for server enabled setting.
Click on OIDC Server Details.
Record the Discovery endpoint, client id and client secret information.
Navigate to FIN B and log in as a super user. Again navigate to the OpenID Connect (SSO) settings.
Enter the recorded information into the Discovery endpoint, client id and client secret settings and save.
Navigating to FIN B should now redirect the user to FIN A to log in. After logging in, the user should be navigated back to FIN A.Under Host go to Crypto. Add FIN A’s address (i.e. https://fina) as a trusted URI.
Although not ideal, FIN A is most likey likely using a self signed certificate hence we need to explicitly trust it.
...