Version 25.2.9314

• Overview
• SSO Settings
  • OpenID Connect Settings
  • SAML 2.0 Settings
  • Federation Id and Key Claim
• Import Settings
• Entra ID (Azure AD) Configuration
  • Metadata Document
  • Callback URL

CData Arc supports Single Sign-On (SSO) via the OpenID Connect and Security Assertion Markup Language (SAML) 2.0 standards. You can use identity providers (IdPs) that implement these standards as an SSO platform for Arc. IdPs include tools like Entra ID (formerly Azure AD) and Okta.

Overview

Enabling SSO requires configuring a group of settings on the SSO tab of the application Settings page. Each setting is explained below in SSO Settings. You can also Import Settings from your SSO provider.

Once the SSO settings are configured, users created in Arc need a Federation Id. The Federation Id value ties an Arc username to an IdP entity. When the Arc user logs in to the application, they are redirected to the SSO platform to enter the credentials for the appropriate identity.

Once SSO is configured and Arc users have a Federation Id value to associate them with an IdP, any further configuration for SSO user management should be performed in the SSO platform itself.

If Just-in-Time (JIT) provisioning is enabled, a new user account is automatically created in Arc at the time of login, based on attributes that are received from the IdP (for example, the user’s name and email address). This identity and access management (IAM) process streamlines onboarding by eliminating the need for manual account creation. JIT provisioning is particularly useful when users access Arc through an IdP for the first time, and the application receives a secure message confirming their identity. The resulting account is assigned a default role, as specified in the SSO settings.

Note: Arc currently only supports individual users, not groups of users. If an SSO platform provides access for a group of users, you must add each individual user in that group on the Arc Users tab of the Settings page. Each user should reference the Federation Id from the IdP (as described below).

SSO Settings

This section describes each of the SSO settings and what they represent in Arc. The details of these settings might differ based on your IdP. A guide for Entra ID is provided for reference.

OpenID Connect Settings

• Callback URL The callback URL is configured in the IdP (not Arc) to indicate where users should be returned once they perform the authentication against the IdP. See Callback URL for more information.
• OAuth Client Id The client Id associated with the OAuth application created in the IdP.
• OAuth Client Secret The client secret associated with the OAuth application created in the IdP.
• Audience URIs The intended recipient of SSO login tokens. This ensures that tokens generated by the SSO platform are intended for use by Arc. Set this value to the URI that identifies Arc as a trusted application in your SSO platform (for example, the Application Id that the SSO platform generated for Arc). To accommodate multiple URIs, supply a comma-separated list.
• Discovery URL Required to Import Settings from your SSO provider.
• Issuer Certificate The public portion of the certificate that the IdP uses to sign JWT tokens. This helps ensure that only tokens generated by the expected IdP are accepted.
• Token Issuer Identifier The identifier used by the IdP when generating JWT tokens. Arc validates tokens to ensure that they include this identifier. This helps ensure that only tokens generated by the expected IdP are accepted.
• Authorization URL The URL where the user should perform authorization via the IdP. When an SSO user attempts to login in to Arc, the application redirects the user to this URL where they enter their SSO platform credentials.
• Token URL The URL where a secure authentication token can be obtained from the IdP. After a user authenticates via the
• Logoff URL Specifies where the Arc user is redirected after logging out of the application.
• Default Scopes A space-separated list of scopes (sets of permissions) to request from the IdP. Typically the scope(s) should at least include profile openid to request identity verification.
• Key Claim The value from the IdP to treat as the Federation Id. In other words, this specifies the claim to use as the Federation Id when mapping users from the IdP to Arc usernames. See Federation Id and Key Claim for more information.
• Token Signature Algorithm Which signature algorithms are accepted from signed JWT tokens. Unsigned tokens are never accepted.
• Just-in-Time (JIT) Provisioning Whether a new user account is created automatically in Arc when a user first logs in. User details are based on the attributes provided in the claim.
• Default Role The Role (Support, Standard, or Admin) assigned to accounts created during JIT provisioning. If you select No Default Role, the role specified in the claim is used.

SAML 2.0 Settings

• Assertion Consumer Services (ACS) URL The endpoint on the Arc application where the IdP sends the SAML authentication response after a user successfully logs in. This is similar to the Callback URL setting in OpenID.
• Audience URI A unique identifier (typically the application’s Entity ID) that the SAML assertion is intended for. Used to validate that the response is meant for your application.
• SAML Discovery URL The endpoint used to determine which IdP should be used for authentication. Required to Import Settings from your SSO provider.
• Issuer Certificate The public portion of the certificate that the IdP uses to sign JWT tokens. Helps ensure that only tokens generated by the expected IdP are accepted.
• Entity ID A globally unique identifier used to identify an IdP or service provider in a SAML authentication process (often formatted as a URI).
• SSO URL The IdP endpoint where the service provider redirects the user to initiate the SAML authentication flow.
• Logoff URL Specifies where the Arc user is redirected after logging out of the application.
• Just-in-Time (JIT) Provisioning Whether a new user account is created automatically in Arc when a user first logs in. User details are based on the attributes provided in the SAML assertion.
• Default Role The Role (Support, Standard, or Admin) assigned to accounts created during JIT provisioning. If you select No Default Role, the role specified in the SAML assertion is used.

Federation Id and Key Claim

When an Arc user logs in via an IdP, Arc compares the Federation Id for that local user against the identity claim from the provider. The Key Claim specifies the value from the IdP that Arc should use for this comparison.

CData recommends you set the Key Claim to a value that is unique to every user in the IdP, such as oid. In this case, the Federation Id value can be obtained by finding the oid value assigned to the user in the IdP that needs access to Arc.

Import Settings

If you have your OpenID Discovery URL or your SAML Discovery URL, you can click the Import Settings button to import settings from your SSO provider. This provides values for settings such as Issuer Certificate, Token URLs, and so on. When you use this feature, the issuer certificates are automatically refreshed periodically to ensure that the application does not lock users out when the SSO provider rotates these certificates.

Entra ID (Azure AD) Configuration

This section explains the likely values for each of the above settings when Entra ID is used as the OpenID IdP.

• Callback URL Set this to the URL where users should be taken after authenticating with the IdP.
• OAuth Client Id This value is assigned by Entra ID after creating an OAuth application in the platform.
• OAuth Client Secret This value is assigned by Entra ID after creating an OAuth application in the platform.
• Audience URIs Only one URI is required, which is the Application Id (client Id) that Entra ID has assigned for Arc.
• Issuer Certificate The public certificates that Entra ID might use can be found here.
• Token Issuer Identifier Find this value using the Entra ID Metadata Document described below.
• Authorization URL This URL is the OAuth 2.0 authorization endpoint (v2) in the Endpoints list in Entra ID.
• Token URL Find this value using the Entra ID metadata document described below.
• Logoff URL Set this to the URL where users should be taken after logging off.
• Default Scopes Only the scopes profile and openid are required; you can add other scopes if necessary.
• Token Signature Algorithm Use the default value RS256.
• Key Claim Set this to the field name that the Federation Id is matched against when authentication is performed. In most situations, the correct name is oid, which represents the object Id. This should only be set to a value other than oid in rare circumstances.
• Just-in-Time (JIT) Provisioning Check this if you want user accounts to be created automatically when a user first logs in. The new user details are based on the attributes provided in the claim.
• Default Role The Role (Support, Standard, or Admin) assigned to accounts created during JIT provisioning. If you select No Default Role, the role specified in the claim is used.

Metadata Document

The Entra ID portal includes a metadata document that lists important values to use when configuring SSO. You can find this document under Endpoints > OpenID Metadata Document in the portal.

Browse the document for the fields listed above to ensure that your Entra ID configuration includes the appropriate values for your setup.

Callback URL

Entra ID must be configured with a callback URL to ensure login tokens are redirected back to Arc once users have authenticated. The callback URL for Arc has the following structure:

[base_arc_url]/src/ssoCallback.rst

For example, if Arc is hosted on mydomain.com on port 8001, use the following redirect URI: https://mydomain.com:8001/src/ssoCallback.rst

Note: This value is case-sensitive.