...
Info |
---|
Even after enabling single sign-on, you will be able to log in using local users if necessary. If you want to log in with local users, then navigate directly to https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/login. You can enable SSO, MFA, or both as it depends on your Provider. |
Table of Contents | ||||
---|---|---|---|---|
|
Enable Single Sign-On and/or Multi Factor Authentication
...
Here are some examples of fdsso.config files for various providers.
Okta (OpenID Connect)
Replace capitalized text with appropriate values. You will need to define an application in your Okta console and update values in the configuration file as shown below.
OKTACLIENTID - get this value from Okta application configuration.
OKTACLIENTSECRET - get this value from Okta application configuration.
OKTADOMAIN - get this value from your Okta domain details.
FLEXDEPLOYHOST - FlexDeploy application host
FLEXDEPLOYPORT - FlexDeploy application port
Example fdsso.config file for Okta (OpenID Connect)
Info |
---|
If you are upgrading from 5.7 or before, then excludedPathMatcher.excludedPath and logout.defaultUrl has changed, everything else remains same. |
Code Block |
---|
oidcConfig = org.pac4j.oidc.config.OidcConfiguration
oidcConfig.clientId = OKTACLIENTID
oidcConfig.secret = OKTACLIENTSECRET
oidcConfig.discoveryURI = https://OKTADOMAIN.okta.com/.well-known/openid-configuration
oktaClient = org.pac4j.oidc.client.OidcClient
oktaClient.configuration = $oidcConfig
clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback
clients.clients = $oktaClient
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = OidcClient
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/home |
Here is what configuration looks like in Okta.
...
Okta (SAML 2.0)
Info |
---|
SSO integration using SAML requires FlexDeploy to be running using HTTPS. |
You must also download the Okta Certificate (from within the Okta Edit SAML Settings).
...
and import it into the keystore which was created as part of the HTTPS configuration (adjust parameters below as appropriate).
Code Block |
---|
/u01/java/jdk1.8.0_281/bin/keytool -import -alias okta -file /var/tmp/okta.cert -keystore /home/oracle/flexdeploy.keystore |
Replace capitalized text with appropriate values. You will need to define an application in your Okta console and update values in the configuration file as shown below.
FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed
KEYSTORE_PASSWORD - The Java key store password.
PRIVATE_KEY_PASSWORD -The private key password.
OKTA_METADATA_URL - The URL (from Okta) to the identity provider metadata (e.g. https://dev-484624.okta.com/app/exk4c1ilhiTs3dKRb4y5/sso/saml/metadata).
FLEXDEPLOY_HOST - FlexDeploy application host
FLEXDEPLOY_PORT - FlexDeploy application port
Example fdsso.config file for Okta (SAML 2.0)
Info |
---|
If you are upgrading from 5.7 or before, then excludedPathMatcher.excludedPath and logout.defaultUrl has changed, everything else remains same. |
Code Block |
---|
saml2Config = org.pac4j.saml.config.SAML2Configuration
saml2Config.keystorePath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/certs/samlKeystore.jks
saml2Config.keystorePassword = KEYSTORE_PASSWORD
saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD
saml2Config.identityProviderMetadataPath = OKTA_METADATA_URL
saml2Config.maximumAuthenticationLifetime = 3600
saml2Config.serviceProviderEntityId = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback?client_name=SAML2Client
saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/sso/FlexDeployMetadata.xml
saml2Client = org.pac4j.saml.client.SAML2Client
saml2Client.configuration = $saml2Config
clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback
clients.clients=$saml2Client
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = SAML2Client
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/next/#/home |
Info |
---|
Configuration TipsIf the Java keystore referenced (line 2) does not exist, it will automatically be created, and key will be generated and inserted into the keystore using the passwords provided (line 3 and 4). The Okta Identity Provider Metadata can be found from within the Sign On tab of your Okta application. |
Azure Active Directory (OpenID Connect)
Replace capitalized text with appropriate values.
APPLICATION(CLIENT)ID
CLIENTSECRET
DIRECTORY(TENANT)ID
FLEXDEPLOYHOST
FLEXDEPLOYPORT
Example fdsso.config file for Azure Active Directory
Info |
---|
If you are upgrading from 5.7 or before, then excludedPathMatcher.excludedPath and logout.defaultUrl has changed, everything else remains same. |
Code Block |
---|
oidcConfig = org.pac4j.oidc.config.AzureAdOidcConfiguration
oidcConfig.clientId = APPLICATION(CLIENT)ID
oidcConfig.secret = CLIENTSECRET
oidcConfig.discoveryURI = https://login.microsoftonline.com/DIRECTORY(TENANT)ID/.well-known/openid-configuration
oidcConfig.useNonce = true
oidcConfig.tenant = DIRECTORY(TENANT)ID
azureAdClient = org.pac4j.oidc.client.AzureAdClient
azureAdClient.configuration = $oidcConfig
clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback
clients.clients = $azureAdClient
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = AzureAdClient
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = true
logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/home |
Register application in Azure Active Directory.
...
Capture Application (client) ID and Directory (tenant) ID from App Registration.
...
Create and capture client secret.
...
Here is how URL values are configured on Azure App Registration.
...
Child pages (Children Display) |
---|