Single Sign-On

Version 23.4.8839


Single Sign-On


CData Arc supports Single Sign-On (SSO) via the OpenID standard. Identity providers that implement OpenID, like Azure AD, can be used as an SSO platform for Arc.

Overview

Enabling SSO requires configuring a group of settings in the Settings page of the application, under the Single Sign-On tab. Each of these settings is explained in SSO Settings. You can also Import Settings from your SSO provider.

Once the SSO settings are configured, users created in Arc should be given a Federation ID. This Federation ID value ties together an Arc username with an identity provider entity. When the Arc user logs in to the application, they are redirected to the SSO platform where the credentials for the appropriate identity must be entered.

Once SSO has been configured and Arc users have a Federation ID value to associate them with an identity provider, any further configuration for SSO user management should be performed in the SSO platform itself.

Note: Arc currently only supports individual users, not groups of users. If an SSO platform provides access for a group of users, each individual user in that group must be added as a user on the Arc Users tab of the Settings page in order to login. Each user should reference the Federation ID from the identity provider (as described below).

SSO Settings

This section details each of the SSO settings and what they represent in Arc. The details of these settings might differ based on your identity provider. A guide for Azure AD is provided later in this topic.

SSO URIs

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
  • Audience URIs The intended recipient of SSO login tokens. This ensures that tokens generated by the SSO platform were intended for use by Arc. Set this value to the URI that identifies Arc as a trusted application in the SSO platform (for example, the Application ID that the SSO platform generated for Arc). To accommodate multiple URIs, supply a comma-separated list.
  • Authorization URL The URL where the user should perform authorization via the identity provider. When an SSO user attempts to login in to Arc, the application redirects the user to this URL where they enter their credentials for the SSO platform.
  • Token URL The URL where a secure authentication token can be obtained from the identity provider. After a user authenticates via the Authorization URL, the identity provider redirects to this URL to generate a token from the credentials entered by the user.
  • Logoff URL Specifies where the Arc user is redirected after logging out of the application.
  • Redirect URIs Redirect URIs are configured in the identity provider (not Arc itself), to indicate where users should be returned once they perform the authentication against the identity provider.
    A redirect URI for Arc has the following structure: [base_arc_url]/src/ssoCallback.rst
    For example, if Arc is hosted on mydomain.com on port 8001, use the following redirect URI: https://mydomain.com:8001/src/ssoCallback.rst

SSO Issuer Settings

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
  • Issuer Certificate The public portion of the certificate that the identity provider uses to sign JWT tokens. This helps ensure that only tokens generated by the expected identity provider are accepted.
  • Token Issuer Identifier The identifier used by the identity provider when generating JWT tokens. Arc validates tokens to ensure that they include this identifier. This helps ensure that only tokens generated by the expected identity provider are accepted.

Federation ID Settings

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
  • Key Claim What value from the identity provider is treated as the Federation ID. In other words, this specifies the claim to use as the Federation ID when mapping users from the identity provider to Arc usernames.
    When an Arc user logs in via an identity provider, Arc compares the Federation ID for that local user against the identity claim from the provider. The Key Claim specifies the value from the identity provider that Arc should use for this comparison.
    CData recommends you use oid for this value, but you can set this to any value that is unique to the user.

OAuth Settings

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
  • OAuth Client ID The Client ID associated with the OAuth Application created in the identity provider.
  • OAuth Client Secret The Client Secret associated with the OAuth Application created in the identity provider.
  • Default Scopes A space-separated list of scopes (sets of permissions) to request from the identity provider. Typically the scope(s) should at least include profile openid to request identity-verification.

Other Settings

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
  • Token Signature Algorithm Which signature algorithms are accepted from signed JWT tokens. Unsigned tokens are never accepted.

Import Settings

You can click the Import Settings button to import settings from your SSO provider if you have your discovery URL. This provides values for settings such as Issuer Certificate, Token URLs, and so on. If you use this feature, the issuer certificates are automatically refreshed periodically to ensure that the application does not lock users out when the SSO provider rotates these certificates.

Azure AD Configuration

This section explains the likely values for each of the above settings when Azure AD is used as the identity provider.

  • Connector Id The static, unique identifier for the connector.
  • Connector Type Displays the connector name and a description of what it does.
  • Connector Description An optional field to provide a free-form description of the connector and its role in the flow.
  • Audience URIs Only one URI is required, which is the Application ID (client ID) that Azure AD has assigned for Arc.
  • Authorization URLs This URL is the “OAuth 2.0 authorization endpoint (v2)” in the Endpoints list in Azure.
  • Default Scopes Only the scopes profile and openid are required; you can add other scopes if necessary.
  • Issuer Certificate The public certificates that Azure AD might use can be found here.
  • Key Claim Set this to the field name that the Federation ID is matched against when authentication is performed. In most situations, the correct name is oid, which represents the Object ID. This should only be set to a value other than oid in rare circumstances.
  • OAuth Client ID This value is assigned by Azure AD after creating an OAuth Application in the platform.
  • OAuth Client Secret This value is assigned by Azure AD after creating an OAuth Application in the platform.
  • Token Issuer Identifier This value can be found using the Azure AD Metadata Document which is described in the next subsection.
  • Token Signature Algorithm Use the default value RS256.
  • Token URL This value can be found using the Azure AD Metadata Document which is described in the next subsection.
  • Logoff URL Set this to any URL where users should be directed after logging off.

Metadata Document

The Azure AD portal includes a Metadata Document that lists important values to use when configuring SSO. You can find this document under Endpoints > OpenID Metadata Document in the portal.

Browse this document for the fields listed above to ensure that your Azure AD configuration includes the appropriate values for your setup.

Redirect URIs

Azure AD must be configured with a Redirect URI to ensure login tokens are redirected back to Arc once users have authenticated. The appropriate redirect URI for Arc has the following structure:

[base_arc_url]/src/ssoCallback.rst

For example, if Arc is hosted on mydomain.com on port 8001, use the following redirect URI: https://mydomain.com:8001/src/ssoCallback.rst

Note: This value is case-sensitive.