Single Sign-On and Multi Factor Authentication
FlexDeploy application can be integrated with Single Sign-On service using various options like OpenID Connect, SAML, OAuth etc. You can use external service like Okta, Microsoft Azure AD and many more or use existing corporate Single Sign-On solution. Note that FlexDeploy does not provide Single Sign-On and Multi Factor Authentication services.
Integration mechanisms supported are OpenID Connect, SAML, OAuth. We have verified this using Okta and Microsoft Azure AD using OpenID Connect. For other OpenID Connect providers and other types of integration, please reach out to us using support portal.
There are some limitations exist in current version of this integration, see below.
- Group mapping (aka Claim in OpenID Connect) is not yet supported. You will need to configure authorization for user using FlexDeploy UI.
- REST API still require login using local realm users with Basic Authentication.
- Configuration is done using configuration files, there is no UI available at this time.
- Once you enable Single Sign-On, you will not be able to configure or use other Realms for authentication and authorization.
You can further secure this by enabling Multi Factor Authentication, where user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism. This will not be discussed here as it will be done on your Single Sign-On provider.
Even after enabling Single Sign-On, you will be able to login using local users if necessary. If you want to login with local users than use https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/faces/login.jsf in browser.
You can either enable SSO or MFA or both.
Enable Single Sign-On and/or Multi Factor Authentication
Single Sign-On integration will be done by adding configuration file on FlexDeploy application server host. You should keep this file readable only by FlexDeploy process user. There is no restriction on where this file should be kept but it would be good idea to keep it with FlexDeploy installation files. If you change values in this file, you will need to restart FlexDeploy server to pick up those changes.
File can be named as per your wish, but we will use fdsso.config name during this documentation. Configure location of file on server startup arguments. Here is syntax for startup argument.
-Dflexagon.fd.sso.config=FULLY_QUALIFIED_PATH_TO_SSO_CONFIG_FILE
See example below for Tomcat where file is located at /home/oracle/fdsso.config.
Here are some examples of fdsso.config file for various providers.
Okta (OpenID Connect)
Replace upper case text with appropriate values. You will need to define application in Okta console and update values in config file as shown below.
- OKTACLIENTID - get this value from Okta application configuration.
- OKTACLIENTSECRET - get this value from Okta application configuration.
- OKTADOMAIN - get this value from your Okta domain details.
- FLEXDEPLOYHOST - FlexDeploy application host
- FLEXDEPLOYPORT - FlexDeploy application port
oidcConfig = org.pac4j.oidc.config.OidcConfiguration oidcConfig.clientId = OKTACLIENTID oidcConfig.secret = OKTACLIENTSECRET oidcConfig.discoveryURI = https://OKTADOMAIN.okta.com/.well-known/openid-configuration oktaClient = org.pac4j.oidc.client.OidcClient oktaClient.configuration = $oidcConfig clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback clients.clients = $oktaClient isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /faces/login.jsf config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = OidcClient ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = true logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy
Here is what configuration looks like on Okta.
Okta (SAML 2.0)
SSO integration using SAML requires FlexDeploy to be running using HTTPS. You must also download the Okta Certificate (from within the Okta Edit SAML Settings).
and import it into the keystore which was created as part of the HTTPS configuration (adjust parameters below as appropriate).
/u01/java/jdk1.8.0_281/bin/keytool -import -alias okta -file /var/tmp/okta.cert -keystore /home/oracle/flexdeploy.keystore
Replace upper case text with appropriate values. You will need to define application in Okta console and update values in config file as shown below.
- FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed
- KEYSTORE_PASSWORD - The Java key store password.
- PRIVATE_KEY_PASSWORD -The private key password.
- OKTA_METADATA_URL - The URL (from Okta) to the identity provider metadata (e.g. https://dev-484624.okta.com/app/exk4c1ilhiTs3dKRb4y5/sso/saml/metadata).
- FLEXDEPLOY_HOST - FlexDeploy application host
- FLEXDEPLOY_PORT - FlexDeploy application port
saml2Config = org.pac4j.saml.config.SAML2Configuration saml2Config.keystorePath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/certs/samlKeystore.jks saml2Config.keystorePassword = KEYSTORE_PASSWORD saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD saml2Config.identityProviderMetadataPath = OKTA_METADATA_URL saml2Config.maximumAuthenticationLifetime = 3600 saml2Config.serviceProviderEntityId = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback?client_name=SAML2Client saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/sso/FlexDeployMetadata.xml saml2Client = org.pac4j.saml.client.SAML2Client saml2Client.configuration = $saml2Config clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback clients.clients=$saml2Client isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /faces/login.jsf config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = SAML2Client ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = true logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy
Configuration Tips
If the Java keystore referenced (line 2) does not exist, it will automatically be created, and key will be generated and inserted into the keystore using the passwords provided (line 3 and 4).
The Okta Identity Provider Metadata can be found from within the Sign-on tab of your Okta application.
Azure Active Directory
Replace upper case text with appropriate values.
- APPLICATION(CLIENT)ID
- CLIENTSECRET
- DIRECTORY(TENANT)ID
- FLEXDEPLOYHOST
- FLEXDEPLOYPORT
oidcConfig = org.pac4j.oidc.config.AzureAdOidcConfiguration oidcConfig.clientId = APPLICATION(CLIENT)ID oidcConfig.secret = CLIENTSECRET oidcConfig.discoveryURI = https://login.microsoftonline.com/DIRECTORY(TENANT)ID/.well-known/openid-configuration oidcConfig.useNonce = true oidcConfig.tenant = DIRECTORY(TENANT)ID azureAdClient = org.pac4j.oidc.client.AzureAdClient azureAdClient.configuration = $oidcConfig clients.callbackUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/callback clients.clients = $azureAdClient isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /faces/login.jsf config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = AzureAdClient ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = true logout.defaultUrl = https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy
Register application in Azure Active Directory.
Capture Application (client) ID and Directory (tenant) ID from App Registration.
Create and capture client secret.
Here is how URL values are configured on Azure App Registration.
- style