Jump to content

OAuth Single Sign On

Recommended Posts

Hi all,

we are considering adding Single Sign On (SSO) support via OAuth in Intella Connect soon.

SSO allows a user to log in with a single ID and password only once to gain access to any of several related systems. For example, a user logs in to Google account and afterwards that user can navigate to GMail, Google Cloud or Intella Connect without any of those systems asking for username and password.

Would that satisfy your SSO needs?

What providers are you using?

Any best practices or special features you can think of that should be considered when implementing this feature into Intella Connect?


Link to comment
Share on other sites

Indeed OIDC seems to be the way to go, especially since it is so widely used by well-known companies (Google, Microsoft, Yahoo, PayPal, Amazon, SalesForce, PhantAuth, Okta).

I have also seen ability to operate own OpenID Connect provider/server.

Which OIDC provider/server would you be using if you don't mind sharing? The reason I'm asking is that implementing this feature into Connect is not enough. The users of SSO in Connect will need to know how to configure and use it with connection of their OIDC provider/server. I know that trying to configure and use a feature without any documentation can sometimes lead to frustration. So we want to be able to provide documentation about how to use SSO with your OIDC provider/server.

If you would prefer not to share, which is perfectly fine, then please let us know which OIDC provider/server should we write the documentation for. For example, would it be helpful if we would write documentation on how to setup SSO with Google?

Link to comment
Share on other sites

  • 5 weeks later...

In order for Intella Connect to integrate with OIDC provider and allow authentication via that OIDC provider, both OIDC provider and Intella Connect will need to be configured first. In this example I will show integration of Intella Connect and Google OIDC server. Intella Connect will allow multiple OIDC providers to be configured at once. Please note that the screenshots provided are subject to change.

On Connect side, new Single Sign On provider will be added with information that it requires to communicate with the OIDC provider:


All of the above fields can be found at OIDC provider's side. Intella Connect will then generate Redirect URI which will be needed when configuring the integration on OIDC provider's side:


Note that when integrating Intella Connect with Google OIDC server, you can for example see the Client ID and Client secret provided on the page shown in above screenshot.

Once this configuration is done, users that will navigate to Intella Connect page will see new button "Log in with Google":


When the user is already logged in with Google, then it is as simple as clicking on the button "Log in with Google" without filling username or password fields. Intella Connect will communicate in background with Google and create a login session with Intella Connect. The user will then be logged in:


If the user is not logged in when clicking on "Log in with Google" button, then the browser will redirect to Google login page in order for that user to log in. Afterwards, it will not be required to click on "Log in with Google" button again, since Intella Connect and Google will already exchange the user information in background and the user will then be automatically redirected to above screenshot.

Note that if a user does not have an account in Intella Connect which would relate to account at OIDC provider, then such account will be created automatically after a successful login. That is why the above screenshot shows "No cases have been shared with you yet.". It is because this is a new user that I just logged in with. Intella Connect administrator or cases manager can then assign this new user with cases.

Link to comment
Share on other sites

So the Intella Connect administrator doesn't need to create the new users, they just need to log in via Google (in this exemple) to access the "Welcome page".

Does the user have to be given permissions on the OIDC provider? Or anyone with access to a "permitted network" and a personal Google account can get there?

Link to comment
Share on other sites

When using Google OIDC, then I have been able to restrict access to only G Suite accounts of a particular company. I did try logging in with my private gmail account and the login was refused on Google side stating that only accounts from particular company are allowed.

When using Okta OIDC, then I could add people who can log in:


Please note that these settings are done on the OIDC provider side. So it is up to you to choose a provider that suits your needs. The provider needs to be OIDC standard complaint as described by the specifications: https://openid.net/specs/openid-connect-core-1_0.html

The status update on OIDC implementation in Connect is that the implementation is currently working and tested with the following OIDC providers:


Link to comment
Share on other sites

As I pointed out on the other topic (https://community.vound-software.com/topic/485-two-factor-authentication/), we tried to use Okta ase OIDC provider one year ago to implement a 2FA but after logging in with it, Intella Connect had troubles in rendering the ellipses in the graphical visualization of the searches, which resulted invisible.

Did you encounter this problem in your tests or has it been solved?

Link to comment
Share on other sites

Note that as of latest version (and any before it), Intella Connect does not support direct integration with OIDC provider. This is a new feature being developed - we aim to have this added to the next major release.

I don't know what exactly you tried, but I expect therefore that you tried some indirect integration, which may have resulted in some issues.

Since OIDC integration will be directly supported in Intella Connect, which we aim for next major release, then it is expected to receive proper testing before the release as well as direct support provided for customers with current Maintenance Agreement after the release.

Link to comment
Share on other sites

  • 8 months later...

Hello, Just trying to use the OIDC integration with Azure. Whilst most of the steps documented for Google OIDC integration should in theory work, it appears that the Azure Integration does not access redirect URIs that have a paramter in them.

The redirect URI provided by Intella when a new integration is created has the following parameter in it: http://x.x.x.x:9999/login/login.html?provider=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

To what extend can you push an update where the parameter is not required for us to be able to integrate this with Azure OIDC.


Link to comment
Share on other sites

I have tested OIDC integration with Microsoft Azure and it works without any issues with version 2.4 of Intella Connect. So there is no need for an update.

I'm attaching a guide to setup SSO with Microsoft Azure and Intella Connect: SSO with Intella Connect and Azure.pdf

Note that Microsoft Azure documentation of Redirect URI (reply URL) restrictions and limitations does not mention any restriction on query string parameters: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

When validating ID token and using RS algorithm, then JWK set needs to be downloaded in order to compare keys. By default, the connect and read timeout are 500 ms. Due to network latency or error, this can result in user to be denied access during login even if valid credentials are provided. This can be seen in the logs containing following error message:

"Couldn't retrieve remote JWK set: Read timed out"

In such case I suggest changing the timeout values as described in https://www.vound-software.com/docs/connect/2.4/Intella Connect Administrator Manual.html#_additional_settings

This guide to setup SSO with Microsoft Azure and Intella Connect will be added to upcoming new release of Intella Connect, so that it is also available in Intella Connect Administrator Manual.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...