OAuth Single Sign On

[Andrej]

Hi all,

we are considering adding Single Sign On (SSO) support via OAuth in Intella Connect soon.

SSO allows a user to log in with a single ID and password only once to gain access to any of several related systems. For example, a user logs in to Google account and afterwards that user can navigate to GMail, Google Cloud or Intella Connect without any of those systems asking for username and password.

Would that satisfy your SSO needs?

What providers are you using?

Any best practices or special features you can think of that should be considered when implementing this feature into Intella Connect?

 

[dale]

We are glad to see this getting focus!

Our strategy is OpenID Connect (OIDC).

OIDC unifies OAuth functionality and is commonly seen as the strategic continuation of OAuth for SSO. So, rather than investing time and effort into OAuth, I'd recommend to go with OIDC right from the start.

https://openid.net/connect/

[Andrej]

Indeed OIDC seems to be the way to go, especially since it is so widely used by well-known companies (Google, Microsoft, Yahoo, PayPal, Amazon, SalesForce, PhantAuth, Okta).

I have also seen ability to operate own OpenID Connect provider/server.

Which OIDC provider/server would you be using if you don't mind sharing? The reason I'm asking is that implementing this feature into Connect is not enough. The users of SSO in Connect will need to know how to configure and use it with connection of their OIDC provider/server. I know that trying to configure and use a feature without any documentation can sometimes lead to frustration. So we want to be able to provide documentation about how to use SSO with your OIDC provider/server.

If you would prefer not to share, which is perfectly fine, then please let us know which OIDC provider/server should we write the documentation for. For example, would it be helpful if we would write documentation on how to setup SSO with Google?

[Paolo1982]

Hi all,

I have another open topic about this with Andrej (see the link here below).

Andrej, can you please share some information about how you do imagine the authentication process to be like once implemented?

Thank you.

 

[Andrej]

In order for Intella Connect to integrate with OIDC provider and allow authentication via that OIDC provider, both OIDC provider and Intella Connect will need to be configured first. In this example I will show integration of Intella Connect and Google OIDC server. Intella Connect will allow multiple OIDC providers to be configured at once. Please note that the screenshots provided are subject to change.

On Connect side, new Single Sign On provider will be added with information that it requires to communicate with the OIDC provider:

All of the above fields can be found at OIDC provider's side. Intella Connect will then generate Redirect URI which will be needed when configuring the integration on OIDC provider's side:

Note that when integrating Intella Connect with Google OIDC server, you can for example see the Client ID and Client secret provided on the page shown in above screenshot.

Once this configuration is done, users that will navigate to Intella Connect page will see new button "Log in with Google":

When the user is already logged in with Google, then it is as simple as clicking on the button "Log in with Google" without filling username or password fields. Intella Connect will communicate in background with Google and create a login session with Intella Connect. The user will then be logged in:

If the user is not logged in when clicking on "Log in with Google" button, then the browser will redirect to Google login page in order for that user to log in. Afterwards, it will not be required to click on "Log in with Google" button again, since Intella Connect and Google will already exchange the user information in background and the user will then be automatically redirected to above screenshot.

Note that if a user does not have an account in Intella Connect which would relate to account at OIDC provider, then such account will be created automatically after a successful login. That is why the above screenshot shows "No cases have been shared with you yet.". It is because this is a new user that I just logged in with. Intella Connect administrator or cases manager can then assign this new user with cases.

[Paolo1982]

So the Intella Connect administrator doesn't need to create the new users, they just need to log in via Google (in this exemple) to access the "Welcome page".

Does the user have to be given permissions on the OIDC provider? Or anyone with access to a "permitted network" and a personal Google account can get there?

[Andrej]

When using Google OIDC, then I have been able to restrict access to only G Suite accounts of a particular company. I did try logging in with my private gmail account and the login was refused on Google side stating that only accounts from particular company are allowed.

When using Okta OIDC, then I could add people who can log in:

Please note that these settings are done on the OIDC provider side. So it is up to you to choose a provider that suits your needs. The provider needs to be OIDC standard complaint as described by the specifications: https://openid.net/specs/openid-connect-core-1_0.html

The status update on OIDC implementation in Connect is that the implementation is currently working and tested with the following OIDC providers:

• Google (google.com)
• Okta (okta.com)
• simple-oidc-provider (https://hub.docker.com/r/qlik/simple-oidc-provider/)

 

[Paolo1982]

As I pointed out on the other topic (https://community.vound-software.com/topic/485-two-factor-authentication/), we tried to use Okta ase OIDC provider one year ago to implement a 2FA but after logging in with it, Intella Connect had troubles in rendering the ellipses in the graphical visualization of the searches, which resulted invisible.

Did you encounter this problem in your tests or has it been solved?

[admin]

HI Paolo,

 

Was this with 2.3? 

[Paolo1982]

When we tried that Okta integration there still was Intella Connect version 2.2.

[Andrej]

Note that as of latest version 2.3.1.2 (and any before it), Intella Connect does not support direct integration with OIDC provider. This is a new feature being developed - we aim to have this added to the next major release.

I don't know what exactly you tried, but I expect therefore that you tried some indirect integration, which may have resulted in some issues.

Since OIDC integration will be directly supported in Intella Connect, which we aim for next major release, then it is expected to receive proper testing before the release as well as direct support provided for customers with current Maintenance Agreement after the release.

[Eric Semaan]

Hello, Just trying to use the OIDC integration with Azure. Whilst most of the steps documented for Google OIDC integration should in theory work, it appears that the Azure Integration does not access redirect URIs that have a paramter in them.

The redirect URI provided by Intella when a new integration is created has the following parameter in it: http://x.x.x.x:9999/login/login.html?provider=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

To what extend can you push an update where the parameter is not required for us to be able to integrate this with Azure OIDC.

Thanks.

[Andrej]

Hi Eric,

I will need to check and get back to you.

[Andrej]

I have tested OIDC integration with Microsoft Azure and it works without any issues with version 2.4 of Intella Connect. So there is no need for an update.

I'm attaching a guide to setup SSO with Microsoft Azure and Intella Connect: SSO with Intella Connect and Azure.pdf

Note that Microsoft Azure documentation of Redirect URI (reply URL) restrictions and limitations does not mention any restriction on query string parameters: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url

When validating ID token and using RS algorithm, then JWK set needs to be downloaded in order to compare keys. By default, the connect and read timeout are 500 ms. Due to network latency or error, this can result in user to be denied access during login even if valid credentials are provided. This can be seen in the logs containing following error message:

"Couldn't retrieve remote JWK set: Read timed out"

In such case I suggest changing the timeout values as described in https://www.vound-software.com/docs/connect/2.4/Intella Connect Administrator Manual.html#_additional_settings

This guide to setup SSO with Microsoft Azure and Intella Connect will be added to upcoming new release of Intella Connect, so that it is also available in Intella Connect Administrator Manual.