Before users can log on to Security Center using an external identity provider with OpenID Connect (OIDC), you must follow a sequence of steps.
Step | Task | Where to find more information |
---|---|---|
Understand prerequisites and key issues before integrating | ||
1 | Learn about the different components and how they connect. | |
2 | Ensure all Security Center
clients trust the connection to your identity provider. To establish trust, the public key certificate for the identity provider must be signed by a trusted Certificate Authority on the computer or mobile device connecting to Security Center. |
|
3 | Verify that your Security Center license includes OpenID
Connect integrations. Go to the Config Tool home page, click , and confirm that Number of OpenID Connect integrations is one or more. |
|
Prepare Security Center | ||
4 | Add an Authentication Service role for OpenID and click the
Network endpoint tab. You might need to restart
the System task to see the endpoints. The redirect and logout endpoints are required to configure your identity provider. There are different URIs for each client type:
NOTE: Mobile and SecurityCenter are the default web
addresses for the Mobile Server role and the Web Server role. Any
modification to these web addresses will be reflected in the
corresponding URIs.
To work with role failover, separate redirect and logout URIs are needed for each server that can host the Directory, Mobile Server, and Web Server roles. Ensure that role failover is properly configured to see all the required endpoints. If new servers are added, or any servers are retired after the identity provider is set up, you might need to update the configuration by adding or removing URIs, as needed. All clients must be able to resolve the endpoint URI for their type. If a public address is being used, that address must resolve to the correct server for clients connecting from your private network. |
|
Integrate the external identity provider | ||
5 | Following the instructions from your identity provider, add Security Center as a relying application
in that system. For successful authentication, Security Center requires the identity provider to return claims about the authenticated party in an access token (JWT format) or the UserInfo endpoint. At a minimum, those claims must include a username claim, and a group membership claim. |
|
6 | Add authorized user groups from your identity provider to Security Center and set privileges. If your identity provider can export a list of groups in CSV format, that list can be imported to Security Center. Typically, identity providers use names to uniquely identify user groups. When names are used, Security Center user groups must have the exact same name as the corresponding group from your identity provider, and include the domain name. For example: Operators@YourCompany.com. However, if your identity provider uses an ID to uniquely identify a user group, that ID must be added to the External unique identifier property for the corresponding user group in Security Center before the group is linked to the Authentication Service role. Users are automatically created and added to their assigned group, or groups when they log on for the first time. |
|
7 | Configure the Authentication Service role with information about your
identity provider. Open the Authentication Service role for OpenID, click the Properties tab, and input the required fields. |