Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

FlexDeploy application can be integrated with Single Sign-On a single sign-on service using various options like OpenID Connect, SAML, OAuth etc. You can use an external service like Okta, Microsoft Azure AD, and many more, or use existing corporate Single Signcorporate single sign-On on solution. Note that FlexDeploy does not provide Single Signsingle sign-On and Multi Factor Authentication on and multi-factor authentication services. 

Integration mechanisms supported are OpenID Connect, SAML, OAuth. We have verified this using Okta and Microsoft Azure AD using OpenID Connect. For other OpenID Connect providers and other types of integrationintegrations, please reach out to us using the support portal.

There are some limitations exist in the current version of this integration, see below.:

  • Group mapping (

    aka

    Claim in OpenID Connect) is not yet supported. You will need to configure authorization for

    user

    users using FlexDeploy UI.

  • The REST API still

    require login

    requires logging in using local realm users

    with Basic Authentication

    , alternatively you can use API Tokens.

  • Configuration is done using configuration files

    , there

    . There is no UI available at this time.

  • Once you enable

    Single Sign

    single sign-

    On

    on, you will not be able to configure or use other Realms for authentication and authorization.

You can further secure this by enabling Multi Factor Authenticationmulti-factor authentication, where user is users are granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism. This will not be discussed here as it will be done on your Single Signsingle sign-On on provider.

Tipinfo

Even after enabling Single Signsingle sign-Onon, you will be able to login log in using local users if necessary. If you want to login log in with local users, then use navigate directly to https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/faces#/login.jsf in browser.

You can either enable SSO or , MFA, or both as it depends on your Provider.

Table of Contents
minLevel2
maxLevel2

Enable Single Sign-On and/or Multi Factor Authentication

Single Signsign-On on integration will be done by adding a configuration file on the FlexDeploy application server host. You should keep this file readable only by the FlexDeploy process user. There is no restriction on where this file should be kept, but it would be it’s a good idea to keep it with the FlexDeploy installation files, For example, $FLEXDEPLOY_HOME/sso folder. If you change values in this file, you will need to restart your FlexDeploy server to pick up those changes.

File The configuration file can be named as per your wish, but we will use the name fdsso.config name during for this documentation. Configure The location of file on the configuration file will need to be added to server startup arguments in setenvoverride.sh file or setenvoverride.bat file. We recommend that this fdsso.config file is not kept under apache-tomcat-flexdeploy folder, as that folder is replaced during upgrade process. Here is the syntax for startup argument:

Code Block
themelanguageRDarkbash
-Dflexagon.fd.sso.config=FULLY_QUALIFIED_PATH_TO_SSO_CONFIG_FILE

Here are some examples of fdsso.config file files for various providers.

Okta (OpenID Connect)

Replace upper case text with appropriate values. You will need to define application in Okta console and update values in config file as shown below.

  • OKTACLIENTID - get this value from Okta application configuration.
  • OKTACLIENTSECRET - get this value from Okta application configuration.
  • OKTADOMAIN - get this value from your Okta domain details.
  • FLEXDEPLOYHOST - FlexDeploy application host
  • FLEXDEPLOYPORT - FlexDeploy application port
Code Block
themeRDark
titleExample fdsso.config file for Okta (OpenID Connect)
linenumberstrue
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.clientId = OKTACLIENTID
oidcConfig.secret = OKTACLIENTSECRET
oidcConfig.discoveryURI = https://OKTADOMAIN.okta.com/.well-known/openid-configuration

oktaClient = org.pac4j.oidc.client.OidcClient
oktaClient.configuration = $oidcConfig

clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback
clients.clients = $oktaClient

isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /faces/login.jsf
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = OidcClient
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin

logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy

Here is what configuration looks like on Okta.

Image Removed

Image Removed

Okta (SAML 2.0)

...

SSO integration using SAML requires FlexDeploy to be running using HTTPS.  You must also download the Okta Certificate (from within the Okta Edit SAML Settings).

Image Removed

and import it into the keystore which was created as part of the HTTPS configuration (adjust parameters below as appropriate).

Code Block
/u01/java/jdk1.8.0_281/bin/keytool -import -alias okta -file /var/tmp/okta.cert -keystore /home/oracle/flexdeploy.keystore

Replace upper case text with appropriate values. You will need to define application in Okta console and update values in config file as shown below.

  • FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed
  • KEYSTORE_PASSWORD - The Java key store password.
  • PRIVATE_KEY_PASSWORD -The private key password.
  • OKTA_METADATA_URL - The URL (from Okta) to the identity provider metadata (e.g. https://dev-484624.okta.com/app/exk4c1ilhiTs3dKRb4y5/sso/saml/metadata).
  • FLEXDEPLOY_HOST - FlexDeploy application host
  • FLEXDEPLOY_PORT - FlexDeploy application port
Code Block
themeRDark
titleExample fdsso.config file for Okta (SAML 2.0)
linenumberstrue
saml2Config = org.pac4j.saml.config.SAML2Configuration
saml2Config.keystorePath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/certs/samlKeystore.jks
saml2Config.keystorePassword = KEYSTORE_PASSWORD
saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD
saml2Config.identityProviderMetadataPath = OKTA_METADATA_URL
saml2Config.maximumAuthenticationLifetime = 3600
saml2Config.serviceProviderEntityId = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback?client_name=SAML2Client
saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/sso/FlexDeployMetadata.xml
saml2Client = org.pac4j.saml.client.SAML2Client
saml2Client.configuration = $saml2Config
clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback
clients.clients=$saml2Client
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /faces/login.jsf
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = SAML2Client
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy
Tip
titleConfiguration Tips

If the Java keystore referenced (line 2) does not exist, it will automatically be created, and key will be generated and inserted into the keystore using the passwords provided (line 3 and 4).

The Okta Identity Provider Metadata can be found from within the Sign-on tab of your Okta application.

Image Removed

Azure Active Directory

Replace upper case text with appropriate values.

  • APPLICATION(CLIENT)ID
  • CLIENTSECRET
  • DIRECTORY(TENANT)ID
  • FLEXDEPLOYHOST
  • FLEXDEPLOYPORT
Code Block
themeRDark
titleExample fdsso.config file for Azure Active Directory
linenumberstrue
oidcConfig = org.pac4j.oidc.config.AzureAdOidcConfiguration
oidcConfig.clientId = APPLICATION(CLIENT)ID
oidcConfig.secret = CLIENTSECRET
oidcConfig.discoveryURI = https://login.microsoftonline.com/DIRECTORY(TENANT)ID/.well-known/openid-configuration
oidcConfig.useNonce = true
oidcConfig.tenant = DIRECTORY(TENANT)ID

azureAdClient = org.pac4j.oidc.client.AzureAdClient
azureAdClient.configuration = $oidcConfig

clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback
clients.clients = $azureAdClient

isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /faces/login.jsf
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = AzureAdClient
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin

logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy

Register application in Azure Active Directory.

Image Removed

Capture Application (client) ID and Directory (tenant) ID from App Registration.

Image Removed

Create and capture client secret.

Image Removed

Here is how URL values are configured on Azure App Registration.

...

Child pages (Children Display)