Integration overview for third-party authentication using OpenID Connect - Security Center 5.9

Security Center Administrator Guide 5.9

Applies to
Security Center 5.9
Last updated
2022-09-12
Content type
Guides > Administrator guides
Language
English (United States)
Product
Security Center
Version
5.9

Before users can log on to Security Center using an external identity provider with OpenID Connect (OIDC), you must follow a sequence of steps.

The following table lists the tasks required to deploy third-party authentication using OIDC:
Step Task Where to find more information
Understand prerequisites and key issues before integrating
1 Learn about the different components and how they connect.
2 Ensure all Security Center clients trust the connection to your identity provider.

To establish trust, the public key certificate for the identity provider must be signed by a trusted Certificate Authority on the computer or mobile device connecting to Security Center.

 
3 Verify that your Security Center license includes OpenID Connect integrations.

Go to the Config Tool home page, click About > Security Center, and confirm that Number of OpenID Connect integrations is one or more.

Prepare Security Center
4 Add an Authentication Service role for OpenID and click the Network endpoint tab. You might need to restart the System task to see the endpoints.

The redirect and logout endpoints are required to configure your identity provider. There are different URIs for each client type:

/genetec
Config Tool, Security Desk, and SDK
/<Mobile>OpenId
Genetec™ Mobile
/<SecurityCenter>OpenId
Web Client
NOTE: Mobile and SecurityCenter are the default web addresses for the Mobile Server role and the Web Server role. Any modification to these web addresses will be reflected in the corresponding URIs.

To work with role failover, separate redirect and logout URIs are needed for each server that can host the Directory, Mobile Server, and Web Server roles. Ensure that role failover is properly configured to see all the required endpoints.

If new servers are added, or any servers are retired after the identity provider is set up, you might need to update the configuration by adding or removing URIs, as needed.

All clients must be able to resolve the endpoint URI for their type. If a public address is being used, that address must resolve to the correct server for clients connecting from your private network.

Integrate the external identity provider
5 Following the instructions from your identity provider, add Security Center as a relying application in that system.

For successful authentication, Security Center requires the identity provider to return claims about the authenticated party in an access token (JWT format) or the UserInfo endpoint.

At a minimum, those claims must include a username claim, and a group membership claim.

 
6 Add authorized user groups from your identity provider to Security Center and set privileges.

If your identity provider can export a list of groups in CSV format, that list can be imported to Security Center.

Typically, identity providers use names to uniquely identify user groups. When names are used, Security Center user groups must have the exact same name as the corresponding group from your identity provider, and include the domain name. For example: Operators@YourCompany.com. However, if your identity provider uses an ID to uniquely identify a user group, that ID must be added to the External unique identifier property for the corresponding user group in Security Center before the group is linked to the Authentication Service role.

Users are automatically created and added to their assigned group, or groups when they log on for the first time.

7 Configure the Authentication Service role with information about your identity provider.

Open the Authentication Service role for OpenID, click the Properties tab, and input the required fields.