OpenID Connect

OpenID Connect#

nJAMS Server allows to use authenticated sessions via identity providers that support OpenID Connect specification. When OpenID Connect is turned on, nJAMS Server can use authenticated sessions to allow login into nJAMS UI. This means nJAMS supports single sign-on via external identity providers.

You need an account at an identity provider, such as Azure AD, Google, Okta, etc. In addition, a user must be created in nJAMS Server whose username is identical to the account name at the indentity provider.

Once OpenID Connect is enabled in nJAMS Server, authentication can also be done via the external identity providers:

Login with OIDC

The following describes how to configure OpenID Connect in nJAMS for common identity providers.

auth0#

auth0

nJAMS Server can be configured to use auth0 for authentication. To do this you first have to register nJAMS application in auth0. When this is done you can configure nJAMS to use auth0 as authentication provider.

Follow these steps to register nJAMS in your auth0 account:

  1. Login to auth0 management portal: https://manage.auth0.com

  2. Register a new application at Applications:

    • Click on Create Application

    • Enter a name for the application, e.g. “nJAMS”

    • Select Single Page Web Applications and click on Create

  3. Enter application URIs:

    • Select tab Settings of your newly created application

    • Scroll down to section Application URIs

    • Enter Allowed Callback URLs: https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html

    • Enter Allowed Web Origins: https://<njams-server-fqdn>:<port>/njams/*

    • Enter Allowed Origins (CORS): https://<njams-server-fqdn>:<port>/njams/*

    Note

    Although not recommended it is possible to use protocol http for Application URIs: http://<ip-address>:<port>/njams/assets/silent-check-sso.html

Follow these steps to configure nJAMS for authentication using auth0:

  1. Login as Administrator into your nJAMS Server instance

  2. Go to Administration > OpenID Connect

  3. Enter Provider URL. Use Domain from auth0 > nJAMS application > Basic Information, e.g. <your-auth0-tenanat-name>.us.auth0.com

  4. Enter Application Client ID. Use Client ID from auth0 > nJAMS application > Basic Information.

  5. Enter Secret. Use Client Secret from auth0 > nJAMS application > Basic Information.

  6. Click Save and hit Activate to enable OpenID Connect

Azure AD#

Azure AD

nJAMS Server can be configured to use Azure AD for authentication. To do this you first have to register nJAMS web application in Azure AD. When this is done you can configure nJAMS to use Azure AD as authentication provider.

Note

Before you can register the nJAMS application in Azure, your nJAMS Server instance must be configured to use HTTPS. Please follow these instructions Enable SSL/TLS for WildFly to configure HTTPS for the WildFly Application Server of your nJAMS Server instance.

Follow these steps to register nJAMS in your Azure AD:

  1. Login to Azure Portal: https://portal.azure.com

  2. Register a new application at Azure AD > App registration:

    • Click on New registration

    • Enter a display name, e.g. “nJAMS”

    • Select desired account type

    • Select Single-Page-Application at Redirect URI

    • Specify Redirect URI as follows: https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html

  3. Determine impicit grant an hybrid flows at registered nJAMS app > Authentication:

    • Select ID tokens

  4. Create a new Secret Client Key at registered nJAMS app > Certificates & secrets:

    • Enter any description and desired expiration time

  5. Add claim to token at registered nJAMS app > Token configuration:

    • Add optional claim

    • Select type ID

    • Select email

    • Add the claim and select Turn on the Microsoft Graph email permission in the upcoming dialog

Follow these steps to configure nJAMS for authentication using Azure AD:

  1. Login as Administrator into your nJAMS Server instance

  2. Go to Administration > OpenID Connect

  3. Enter Provider URL from Azure AD > App registrations > Endpoints > OpenID Connect metadata document, e.g. https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration

  4. Enter Application Client ID from registered nJAMS app > Overview > Application (client) ID

  5. Enter Secret from registered nJAMS app > Certificates & secrets > Client secrets > Secret ID

Google#

Google

nJAMS Server can be configured to use Google for authentication. To do this you first have to register nJAMS web application in Google. When this is done you can configure nJAMS to use Google as authentication provider.

Follow these steps to register nJAMS in your Google account:

  1. Login to Google Cloud Platform: https://console.cloud.google.com/

  2. Have a project or create a new project

  3. Register a new app:

    • Go to API & Services > OAuth consent screen

    • Select External and hit Create

    • Enter an App name, e.g. “nJAMS”

    • Select a support email, enter developer contact information, and save

  4. Add a scope:

    • Click on Add or remove scope

    • Select …/auth/userinfo.email from the list

    • Update and Save And Continue the scope

  5. Create Credentials:

    • Go to API & Services > Credentials

    • Create Credentials and select “OAuth client ID”

    • Select Application type “Web application”

    • Enter a name, e.g. “nJAMS”

    • At Authorized JavaScript Origins click Add URI and enter: https://<njams-server-fqdn>:<port>

    • At Authorized redirect URIs click Add URI and enter: https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html

    • Click Create. Note the following information Your Client ID and Your Client Secret, which will be required in the configuration of OpenID Connect in nJAMS Server.

Follow these steps to configure nJAMS for authentication using Google:

  1. Login as Administrator into your nJAMS Server instance

  2. Go to Administration > OpenID Connect

  3. Enter Provider URL: https://accounts.google.com/

  4. Enter Application Client ID from API & Services > Credentials > registered nJAMS app > Client ID

  5. Enter Secret from API & Services > Credentials > registered nJAMS app > Client secret

  6. Click Save and hit Activate to enable OpenID Connect

okta#

okta

nJAMS Server can be configured to use okta for authentication. To do this you first have to register nJAMS web application in Google. When this is done you can configure nJAMS to use okta as authentication provider.

Follow these steps to register nJAMS in your okta account:

  1. Login to your okta account: https://login.okta.com>

  2. Go to Administration

  3. Register new app:

    • Go to Applications > Create App Integration

    • Select Web Application

    • Enter an App Integration name, e.g. “nJAMS”

    • Enter Sign-in redirect URI: https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html

    • Disable Federation Broker Mode

    • Remember Client ID and Client secret for upcoming steps

    • Click on Edit at General Settings

    • Select Application / Grand type: Implicit (hybrid) and Allow ID Token with implicit grant type

  4. Add Identity Provider:

    • Go to Security > Identity Providers

    • Add Identity Provider: Add OpenID Connect

    • Enter name, e.g. “nJAMS IdP”

    • Enter Client ID and Client secret from previous step (3)

    • Enter Issuer: https://<your-okta-account>.okta.com

    • Enter https://<your-okta-account>.okta.com for Authorization endpoint, Token endpoint, and JWKS endpoint

    • Click Add Identity Provider

  5. Assign users to Application:

    • Go to Applications > Applications > Assign Users to App

Follow these steps to configure nJAMS for authentication using okta:

  1. Login as Administrator into your nJAMS Server instance

  2. Go to Administration > OpenID Connect

  3. Enter Provider URL: https://<your-okta-account>.okta.com

  4. Enter Application Client ID from Applications > registered nJAMS app > Client ID

  5. Enter Secret from Applications > registered nJAMS app > Client secret

  6. Click Save and hit Activate to enable OpenID Connect

Others#

nJAMS Server basically supports any OpenID Connect (OIDC) compliant identity provider. Follow the instructions of your identity provider to register the nJAMS application and create the credentials. Then enter Provider URL, Client ID, and Secret in the OpenID Connect configuration of nJAMS Server.