Single Sign-On
Version 23.4.8843
Version 23.4.8843
Single Sign-On
CData Sync supports single sign-on (SSO) via the OpenID standard. Identity providers that implement OpenID, like Azure Active Directory (Azure AD) can be used as an SSO platform for Sync.
Overview
Enabling single sign-on requires that you configure a group of settings on the Single Sign-On tab of the Settings page. Each of these settings is explained in the next section.
After you configure the SSO settings, users that are created within Sync should be given a federation Id. This federation Id associates a Sync username with an identity provider entity. When the Sync user attempts to log in to the application, it is redirected to the SSO platform where the credentials for the appropriate identity must be entered.
After SSO is configured and Sync users have a federation Id value to associate them with an identity provider, any additional advanced configuration for SSO user management should be performed directly in the SSO platform.
Note: Currently, Sync supports only individual users, not groups of users. If an SSO platform provides access for a group of users, each individual user within that group must be added as a user on the Sync Settings page in order to log in. Each user should reference the federation Id from the identity provider (as described below).
SSO Settings
This section details each of the SSO settings and what they represent within Sync. The details about these settings might depend on the identity provider that is used. A guide for Azure AD, specifically, is provided later on this page.
SSO URIs
Audience URIs
The value for this setting identifies the intended recipient of SSO login token; that is, it ensures that tokens generated by the SSO platform are intended for use by Sync. Set this value to the URI that identifies Sync as a trusted application within the SSO platform (for example, set it to the application Id that the SSO platform generates for Sync).
You can set this value to a comma-separated list to accommodate multiple relevant URIs.
Authorization URL
The value for this setting is the URL where the user should perform authorization via the identity provider. When an SSO user attempts to log in to Sync, the application redirects the user to this URL where the user can enter the credentials for the SSO platform.
Typically, you should set this value to the OAuth authorization endpoint for whichever identity provider that you use.
Token URL
The value for this setting is the URL where a secure authentication token can be obtained from the identity provider. After a user authenticates via the Authorization URL setting, the identity provider redirects to this URL to generate a token from the credentials that the user enters.
Logoff URL
The value for this setting determines to where the Sync user should be redirected after logging out of the application.
Redirect URIs
Redirect URIs are configured in the identity provider (not in Sync) to indicate where users should be returned after they perform the authentication against the identity provider.
The syntax for the appropriate redirect URI for Sync is shown below:
base_sync_url/src/ssoCallback.rst
For example, if Sync is hosted on mydomain.com on port 8019, you should use the following redirect URI:
https://mydomain.com:8019/src/ssoCallback.rst
SSO Issuer Settings
Issuer Certificate
The value for this setting is the public portion of the certificate that the identity provider uses to sign JSON Web Tokens (JWT). This value helps ensure that only tokens generated by the expected identity provider are accepted.
Token Issuer Identifier
The value for this setting is the identifier that the identity provider uses to generate JWT tokens. Sync validates tokens to ensure that they include this identifier. This value helps ensure that only tokens generated by the expected identity provider are accepted.
Federation Id Settings
Key Claim
This setting specifies what value from the identity provider should be treated as the federation Id. Specifically, this setting specifies the claim to use as the federation Id when users are mapped from the identity provider to Sync usernames.
When a Sync user logs in via an identity provider, Sync compares the federation Id for that local user against the identity claim from the provider. The Key Claim setting determines which value from the identity provider that Sync should use for this comparison.
The recommended value for this field is oid. However, you can set Key Claim to a value of your choice as long as it is unique to the user.
OAuth Settings
OAuth Client ID
The value for this setting is the client Id associated with the OAuth application that is created in the identity provider.
OAuth Client Secret
The value for this setting is the client secret associated with the OAuth application that is created in the identity provider.
Default Scopes
The value for this setting is a space-separated list of scopes (that is, sets of permissions) to request from the identity provider. Typically, the scope list should include at least profile openid in order to request identity verification.
Other Settings
Token Signature Algorithm
This setting determines which signature algorithms are accepted from signed JWT tokens. Unsigned tokens are never accepted.
Azure Active Directory Configuration
This section explains the values for each of the previously described settings when Azure AD is used as the identity provider.
- Audience URIs - Only one URI is required, which is the application Id (client Id) that Azure AD assigns for Sync.
- Authorization URLs - This URL is the same as the OAuth 2.0 authorization endpoint (v2) that appears in the Endpoints list in Azure AD.
- Default Scopes - Only the scopes profile and openid are required. You can add more scopes, as necessary.
- Issuer Certificate - The public certificates that Azure AD might use are available here.
- Key Claim - This value should be oid for the object Id, except in rare circumstances.
- OAuth Client ID - This value is assigned by Azure AD after it creates an OAuth application within the platform.
- OAuth Client Secret - This value is assigned by Azure AD after it creates an OAuth application within the platform.
- Token Issuer Identifier - This value is available in the Azure AD Metadata Document, which is described in the next subsection.
- Token Signature Algorithm - The default value RS256 should be used.
- Token URL - This value is available in the Azure AD Metadata Document, which is described in the next subsection.
- Logoff URL - This value is any URL to which users should be directed after they log off.
Metadata Document
The Azure AD portal includes a Metadata Document that lists important values you should use in configuring SSO. Locate this document in the portal by navigating to Endpoints > OpenID Metadata Document.
Check this document for values for the Token Issuer Identifier and Token URL fields listed earlier to ensure that your Azure AD configuration includes the appropriate values for your setup.
Redirect URIs
Azure AD must be configured with a redirect URI to ensure that login tokens are redirected back to Sync after users are authenticated. The syntax for the appropriate redirect URI for Sync is shown below:
base_sync_url/src/ssoCallback.rst
For example, if Sync is hosted on mydomain.com on port 8019, the following redirect URI should be used:
https://mydomain.com:8019/src/ssoCallback.rst
Note: This URI is case-sensitive. Ensure that the capitalization matches.