Jump to content
Andrej

OAuth Single Sign On

Recommended Posts

Hi all,

we are considering adding Single Sign On (SSO) support via OAuth in Intella Connect soon.

SSO allows a user to log in with a single ID and password only once to gain access to any of several related systems. For example, a user logs in to Google account and afterwards that user can navigate to GMail, Google Cloud or Intella Connect without any of those systems asking for username and password.

Would that satisfy your SSO needs?

What providers are you using?

Any best practices or special features you can think of that should be considered when implementing this feature into Intella Connect?

 

Share this post


Link to post
Share on other sites

We are glad to see this getting focus!

Our strategy is OpenID Connect (OIDC).

OIDC unifies OAuth functionality and is commonly seen as the strategic continuation of OAuth for SSO. So, rather than investing time and effort into OAuth, I'd recommend to go with OIDC right from the start.

https://openid.net/connect/

Share this post


Link to post
Share on other sites

Indeed OIDC seems to be the way to go, especially since it is so widely used by well-known companies (Google, Microsoft, Yahoo, PayPal, Amazon, SalesForce, PhantAuth, Okta).

I have also seen ability to operate own OpenID Connect provider/server.

Which OIDC provider/server would you be using if you don't mind sharing? The reason I'm asking is that implementing this feature into Connect is not enough. The users of SSO in Connect will need to know how to configure and use it with connection of their OIDC provider/server. I know that trying to configure and use a feature without any documentation can sometimes lead to frustration. So we want to be able to provide documentation about how to use SSO with your OIDC provider/server.

If you would prefer not to share, which is perfectly fine, then please let us know which OIDC provider/server should we write the documentation for. For example, would it be helpful if we would write documentation on how to setup SSO with Google?

Share this post


Link to post
Share on other sites

Hi all,

I have another open topic about this with Andrej (see the link here below).

Andrej, can you please share some information about how you do imagine the authentication process to be like once implemented?

Thank you.

 

Share this post


Link to post
Share on other sites

In order for Intella Connect to integrate with OIDC provider and allow authentication via that OIDC provider, both OIDC provider and Intella Connect will need to be configured first. In this example I will show integration of Intella Connect and Google OIDC server. Intella Connect will allow multiple OIDC providers to be configured at once. Please note that the screenshots provided are subject to change.

On Connect side, new Single Sign On provider will be added with information that it requires to communicate with the OIDC provider:

image.png

All of the above fields can be found at OIDC provider's side. Intella Connect will then generate Redirect URI which will be needed when configuring the integration on OIDC provider's side:

image.png

Note that when integrating Intella Connect with Google OIDC server, you can for example see the Client ID and Client secret provided on the page shown in above screenshot.

Once this configuration is done, users that will navigate to Intella Connect page will see new button "Log in with Google":

Eow_edpssnTdgfCi5p-CDoXlOEhCLd1cbFs096Jx

When the user is already logged in with Google, then it is as simple as clicking on the button "Log in with Google" without filling username or password fields. Intella Connect will communicate in background with Google and create a login session with Intella Connect. The user will then be logged in:

image.png

If the user is not logged in when clicking on "Log in with Google" button, then the browser will redirect to Google login page in order for that user to log in. Afterwards, it will not be required to click on "Log in with Google" button again, since Intella Connect and Google will already exchange the user information in background and the user will then be automatically redirected to above screenshot.

Note that if a user does not have an account in Intella Connect which would relate to account at OIDC provider, then such account will be created automatically after a successful login. That is why the above screenshot shows "No cases have been shared with you yet.". It is because this is a new user that I just logged in with. Intella Connect administrator or cases manager can then assign this new user with cases.

Share this post


Link to post
Share on other sites

So the Intella Connect administrator doesn't need to create the new users, they just need to log in via Google (in this exemple) to access the "Welcome page".

Does the user have to be given permissions on the OIDC provider? Or anyone with access to a "permitted network" and a personal Google account can get there?

Share this post


Link to post
Share on other sites

When using Google OIDC, then I have been able to restrict access to only G Suite accounts of a particular company. I did try logging in with my private gmail account and the login was refused on Google side stating that only accounts from particular company are allowed.

When using Okta OIDC, then I could add people who can log in:

image.png

Please note that these settings are done on the OIDC provider side. So it is up to you to choose a provider that suits your needs. The provider needs to be OIDC standard complaint as described by the specifications: https://openid.net/specs/openid-connect-core-1_0.html

The status update on OIDC implementation in Connect is that the implementation is currently working and tested with the following OIDC providers:

 

Share this post


Link to post
Share on other sites

As I pointed out on the other topic (https://community.vound-software.com/topic/485-two-factor-authentication/), we tried to use Okta ase OIDC provider one year ago to implement a 2FA but after logging in with it, Intella Connect had troubles in rendering the ellipses in the graphical visualization of the searches, which resulted invisible.

Did you encounter this problem in your tests or has it been solved?

Share this post


Link to post
Share on other sites

Note that as of latest version 2.3.1.2 (and any before it), Intella Connect does not support direct integration with OIDC provider. This is a new feature being developed - we aim to have this added to the next major release.

I don't know what exactly you tried, but I expect therefore that you tried some indirect integration, which may have resulted in some issues.

Since OIDC integration will be directly supported in Intella Connect, which we aim for next major release, then it is expected to receive proper testing before the release as well as direct support provided for customers with current Maintenance Agreement after the release.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...