Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Usage Engine can act as a Relaying Party in the OpenID Connect 1.0 flow.  https://openid.net/specs/openid-connect-core-1_0.html

Once you connect with an ID provider and start the desktop launcher, you will see the Log in with SSO option.


Login with SSO option


Usage Engine supports SSO using an OpenID Connect (OIDC) compliant Identity Provider. Microsoft Active Directory can be configured to act as such an Identity Provider. If this for some reason is not applicable, it is also possible to add an OIDC Proxyin front of the Active Directory to enable the OIDC protocol.

Usage Engine can act as a Relaying Party in the OIDC 1.0 flow. Refer for more details: https://openid.net/specs/openid-connect-core-1_0.html.

...

Info
titleAzure as Identity Provider

When Azure is used as an ID provider, ensure to set the property auth.oidc.rp.provider.name to Azure to be able to fetch the groups. The reason for this is that Azure is sending a list of group ids, but   but Usage Engine  needs the Access group name. When ID Provider is Azure it uses the group id to fetch the group name from Azure Graph API endpoint, currently using v1.

...

Code Block
languageyml
rp:
      # Activate/deactivate Usage Engine Private Edition as OIDC Relay Party
      enabled: false
      
      auth:
        # Available auth methods is CLIENT_SECRET_BASIC and PRIVATE_KEY_JWT
        method: "CLIENT_SECRET_BASIC"
        client:
          # Client id
          id: ""
          # Client secret is only used when the method is CLIENT_SECRET_BASIC
          # Uncomment if credentials are not already provided through secret "oidc-rp-secret"
          #secret: ""
        # JWT section only used when method is PRIVATE_KEY_JWT
        jwt:
          #Opional ID Provider KeyId
          keyId:
          jks:
            secret:
              #Name of secret to store jks
              name:
            #Key Alias
            alias:

            #Key password
            # Uncomment if credentials are not already provided through secret "oidc-rp-secret"
            #password:

            #Keystore password
            # Uncomment if credentials are not already provided through secret "oidc-rp-secret"
            #storePassword:

      provider:
        # Base URL for Identity Provider
        # URL before /.well-known/openid-configuration
        # Eg. https://login.microsoftonline.com/<tenant_ID>/v2.0
        url:
        # Name of Provider, eg. Azure
        name: ""
      
      # Path in UserInfo or ID Token to find access groups mapping, separated by dot (.)
      # The groups should be a array of Strings.
      # *** Example ***
      # Here is the groups array inside a object.
      # { myObject : { myGroups : [ "myGroup1", "mygroup2" ] } }
      # The path should then be:
      # groupPath: myObject.myGroups
      # When the groups array is direct under UserInfo then groupPath is just the 
      # name of the groups array.
      groupPath:

      # Claim to use for Username
      userNameClaim:

      # Additional scopes
      scopes:

Kubernetes Secret

Credentials can be written into a Secret object named env-secrets prior to installation.

...