OpenID Connect#
nJAMS Server allows to use authenticated sessions via identity providers that support OpenID Connect specification. When OpenID Connect is turned on, nJAMS Server can use authenticated sessions to allow login into nJAMS UI. This means nJAMS supports single sign-on via external identity providers.
You need an account at an identity provider, such as Azure AD, Google, Okta, etc. In addition, a user must be created in nJAMS Server whose username is identical to the account name at the indentity provider.
Once OpenID Connect is enabled in nJAMS Server, authentication can also be done via the external identity providers:
The following describes how to configure OpenID Connect in nJAMS for common identity providers.
auth0#
nJAMS Server can be configured to use auth0 for authentication. To do this you first have to register nJAMS application in auth0. When this is done you can configure nJAMS to use auth0 as authentication provider.
Follow these steps to register nJAMS in your auth0 account:
Login to auth0 management portal: https://manage.auth0.com
Register a new application at Applications:
Click on Create Application
Enter a name for the application, e.g. “nJAMS”
Select Single Page Web Applications and click on Create
Enter application URIs:
Select tab Settings of your newly created application
Scroll down to section Application URIs
Enter Allowed Callback URLs:
https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html
Enter Allowed Web Origins:
https://<njams-server-fqdn>:<port>/njams/*
Enter Allowed Origins (CORS):
https://<njams-server-fqdn>:<port>/njams/*
Note
Although not recommended it is possible to use protocol
http
for Application URIs:http://<ip-address>:<port>/njams/assets/silent-check-sso.html
Follow these steps to configure nJAMS for authentication using auth0:
Login as Administrator into your nJAMS Server instance
Go to Administration > OpenID Connect
Enter Provider URL. Use Domain from auth0 > nJAMS application > Basic Information, e.g.
<your-auth0-tenanat-name>.us.auth0.com
Enter Application Client ID. Use Client ID from auth0 > nJAMS application > Basic Information.
Enter Secret. Use Client Secret from auth0 > nJAMS application > Basic Information.
Click Save and hit Activate to enable OpenID Connect
Azure AD#
nJAMS Server can be configured to use Azure AD for authentication. To do this you first have to register nJAMS web application in Azure AD. When this is done you can configure nJAMS to use Azure AD as authentication provider.
Note
Before you can register the nJAMS application in Azure, your nJAMS Server instance must be configured to use HTTPS. Please follow these instructions Enable SSL/TLS for WildFly to configure HTTPS for the WildFly Application Server of your nJAMS Server instance.
Follow these steps to register nJAMS in your Azure AD:
Login to Azure Portal: https://portal.azure.com
Register a new application at Azure AD > App registration:
Click on New registration
Enter a display name, e.g. “nJAMS”
Select desired account type
Select Single-Page-Application at Redirect URI
Specify Redirect URI as follows:
https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html
Determine impicit grant an hybrid flows at registered nJAMS app > Authentication:
Select ID tokens
Create a new Secret Client Key at registered nJAMS app > Certificates & secrets:
Enter any description and desired expiration time
Add claim to token at registered nJAMS app > Token configuration:
Add optional claim
Select type ID
Select email
Add the claim and select Turn on the Microsoft Graph email permission in the upcoming dialog
Follow these steps to configure nJAMS for authentication using Azure AD:
Login as Administrator into your nJAMS Server instance
Go to Administration > OpenID Connect
Enter Provider URL from Azure AD > App registrations > Endpoints > OpenID Connect metadata document, e.g.
https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration
Enter Application Client ID from registered nJAMS app > Overview > Application (client) ID
Enter Secret from registered nJAMS app > Certificates & secrets > Client secrets > Secret ID
Google#
nJAMS Server can be configured to use Google for authentication. To do this you first have to register nJAMS web application in Google. When this is done you can configure nJAMS to use Google as authentication provider.
Follow these steps to register nJAMS in your Google account:
Login to Google Cloud Platform: https://console.cloud.google.com/
Have a project or create a new project
Register a new app:
Go to API & Services > OAuth consent screen
Select External and hit Create
Enter an App name, e.g. “nJAMS”
Select a support email, enter developer contact information, and save
Add a scope:
Click on Add or remove scope
Select …/auth/userinfo.email from the list
Update and Save And Continue the scope
Create Credentials:
Go to API & Services > Credentials
Create Credentials and select “OAuth client ID”
Select Application type “Web application”
Enter a name, e.g. “nJAMS”
At Authorized JavaScript Origins click Add URI and enter:
https://<njams-server-fqdn>:<port>
At Authorized redirect URIs click Add URI and enter:
https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html
Click Create. Note the following information Your Client ID and Your Client Secret, which will be required in the configuration of OpenID Connect in nJAMS Server.
Follow these steps to configure nJAMS for authentication using Google:
Login as Administrator into your nJAMS Server instance
Go to Administration > OpenID Connect
Enter Provider URL:
https://accounts.google.com/
Enter Application Client ID from API & Services > Credentials > registered nJAMS app > Client ID
Enter Secret from API & Services > Credentials > registered nJAMS app > Client secret
Click Save and hit Activate to enable OpenID Connect
okta#
nJAMS Server can be configured to use okta for authentication. To do this you first have to register nJAMS web application in Google. When this is done you can configure nJAMS to use okta as authentication provider.
Follow these steps to register nJAMS in your okta account:
Login to your okta account: https://login.okta.com>
Go to Administration
Register new app:
Go to Applications > Create App Integration
Select Web Application
Enter an App Integration name, e.g. “nJAMS”
Enter Sign-in redirect URI:
https://<njams-server-fqdn>:<port>/njams/assets/silent-check-sso.html
Disable Federation Broker Mode
Remember Client ID and Client secret for upcoming steps
Click on Edit at General Settings
Select Application / Grand type: Implicit (hybrid) and Allow ID Token with implicit grant type
Add Identity Provider:
Go to Security > Identity Providers
Add Identity Provider: Add OpenID Connect
Enter name, e.g. “nJAMS IdP”
Enter Client ID and Client secret from previous step (3)
Enter Issuer:
https://<your-okta-account>.okta.com
Enter
https://<your-okta-account>.okta.com
for Authorization endpoint, Token endpoint, and JWKS endpointClick Add Identity Provider
Assign users to Application:
Go to Applications > Applications > Assign Users to App
Follow these steps to configure nJAMS for authentication using okta:
Login as Administrator into your nJAMS Server instance
Go to Administration > OpenID Connect
Enter Provider URL:
https://<your-okta-account>.okta.com
Enter Application Client ID from Applications > registered nJAMS app > Client ID
Enter Secret from Applications > registered nJAMS app > Client secret
Click Save and hit Activate to enable OpenID Connect
Others#
nJAMS Server basically supports any OpenID Connect (OIDC) compliant identity provider. Follow the instructions of your identity provider to register the nJAMS application and create the credentials. Then enter Provider URL, Client ID, and Secret in the OpenID Connect configuration of nJAMS Server.