Single Sign-On

Version 24.2.9039


Single Sign-On


CData Arc supports Single Sign On (SSO) via the OpenID standard. You can use identity providers that implement OpenID, such as Azure AD, as an SSO platform for Arc.

Overview

Enabling SSO requires configuring a group of settings on the SSO tab of the application Settings page. Each setting is explained below in SSO Settings. You can also Import Settings from your SSO provider.

Once the SSO settings are configured, users created in Arc need a Federation Id. The Federation Id value ties an Arc username to an identity provider entity. When the Arc user logs in to the application, they are redirected to the SSO platform to enter the credentials for the appropriate identity.

Once SSO is configured and Arc users have a Federation Id value to associate them with an identity provider, any further configuration for SSO user management should be performed in the SSO platform itself.

Note: Arc currently only supports individual users, not groups of users. If an SSO platform provides access for a group of users, you must add each individual user in that group on the Arc Users tab of the Settings page. Each user should reference the Federation Id from the identity provider (as described below).

SSO Settings

This section describes each of the SSO settings and what they represent in Arc. The details of these settings might differ based on your identity provider. A guide for Azure AD is provided for reference.

  • Audience URIs The intended recipient of SSO login tokens. This ensures that tokens generated by the SSO platform are intended for use by Arc. Set this value to the URI that identifies Arc as a trusted application in your SSO platform (for example, the Application Id that the SSO platform generated for Arc). To accommodate multiple URIs, supply a comma-separated list.
  • Key Claim The value from the identity provider to treat as the Federation Id. In other words, this specifies the claim to use as the Federation Id when mapping users from the identity provider to Arc usernames. See Federation Id and Key Claim for more information.
  • OAuth Client Id The client Id associated with the OAuth application created in the identity provider.
  • OAuth Client Secret The client secret associated with the OAuth application created in the identity provider.
  • Issuer Certificate The public portion of the certificate that the identity provider uses to sign JWT tokens. This helps ensure that only tokens generated by the expected identity provider are accepted.
  • Authorization URL The URL where the user should perform authorization via the identity provider. When an SSO user attempts to login in to Arc, the application redirects the user to this URL where they enter their SSO platform credentials.
  • Default Scopes A space-separated list of scopes (sets of permissions) to request from the identity provider. Typically the scope(s) should at least include profile openid to request identity verification.
  • Token Issuer Identifier The identifier used by the identity provider when generating JWT tokens. Arc validates tokens to ensure that they include this identifier. This helps ensure that only tokens generated by the expected identity provider are accepted.
  • Token Signature Algorithm Which signature algorithms are accepted from signed JWT tokens. Unsigned tokens are never accepted.
  • Token URL The URL where a secure authentication token can be obtained from the identity provider. After a user authenticates via the Authorization URL, the identity provider redirects to this URL to generate a token from the credentials entered by the user.
  • Logoff URL Specifies where the Arc user is redirected after logging out of the application.
  • Callback URL The callback URL is configured in the identity provider (not Arc) to indicate where users should be returned once they perform the authentication against the identity provider. See Callback URL for more information.

Federation Id and Key Claim

When an Arc user logs in via an identity provider, Arc compares the Federation Id for that local user against the identity claim from the provider. The Key Claim specifies the value from the identity provider that Arc should use for this comparison.

CData recommends you use oid for this value, but you can set it to any value that is unique to the user.

Import Settings

If you have your OpenID Discovery URL, you can click the Import Settings button to import settings from your SSO provider. This provides values for settings such as Issuer Certificate, Token URLs, and so on. When you use this feature, the issuer certificates are automatically refreshed periodically to ensure that the application does not lock users out when the SSO provider rotates these certificates.

Azure AD Configuration

This section explains the likely values for each of the above settings when Azure AD is used as the identity provider.

  • Audience URIs Only one URI is required, which is the Application Id (client Id) that Azure AD has assigned for Arc.
  • Key Claim Set this to the field name that the Federation Id is matched against when authentication is performed. In most situations, the correct name is oid, which represents the object Id. This should only be set to a value other than oid in rare circumstances.
  • OAuth Client Id This value is assigned by Azure AD after creating an OAuth application in the platform.
  • OAuth Client Secret This value is assigned by Azure AD after creating an OAuth application in the platform.
  • Issuer Certificate The public certificates that Azure AD might use can be found here.
  • Authorization URL This URL is the OAuth 2.0 authorization endpoint (v2) in the Endpoints list in Azure AD.
  • Default Scopes Only the scopes profile and openid are required; you can add other scopes if necessary.
  • Token Issuer Identifier Find this value using the Azure AD Metadata Document described below.
  • Token Signature Algorithm Use the default value RS256.
  • Token URL Find this value using the Azure AD metadata document described below.
  • Logoff URL Set this to the URL where users should be taken after logging off.
  • Callback URL Set this to the URL where users should be taken after authenticating with the identity provider.

Metadata Document

The Azure AD portal includes a metadata document that lists important values to use when configuring SSO. You can find this document under Endpoints > OpenID Metadata Document in the portal.

Browse the document for the fields listed above to ensure that your Azure AD configuration includes the appropriate values for your setup.

Callback URL

Azure AD must be configured with a callback URL to ensure login tokens are redirected back to Arc once users have authenticated. The callback URL for Arc has the following structure:

[base_arc_url]/src/ssoCallback.rst

For example, if Arc is hosted on mydomain.com on port 8001, use the following redirect URI: https://mydomain.com:8001/src/ssoCallback.rst

Note: This value is case-sensitive.