Configuring OAuth 2.0 in SEI
To configure a provider in SEI, make sure to have registered SEI with the OAuth provider in order to obtain the required parameters. For more information, refer to Creating an OAuth 2.0 Client.
Creating a Provider
-
Go to the Administration menu in the top-right corner.
-
Click the Security menu.
-
Click Authentication in the menu list.
-
Click the + icon. This adds a new item under the Providers list and provides an empty form to configure a new OAuth provider.
Two tabs are available for each provider:
-
General: Enter the required parameters as described in Setting tup OAuth 2.0 Provider Parameters.
-
Users: This tab defines which users will be able to log in into the Web Client and the mapping between the Web Client user and the OAuth provider user. Follow the steps described in Linking Users to an OAuth 2.0 Provider.
-
Setting up OAuth 2.0 Provider Parameters
It is recommended that the Web Client be registered with the chosen OAuth provider to obtain the required information. Follow the steps in Creating an OAuth 2.0 Client.
| General tab parameter | Description |
|---|---|
| Activate |
The toggle button defines whether the OAuth provider should be available for the users to log in from the Login page. When this option is enabled, a new button is displayed under External Accounts on the Login page. |
| Description |
This is the text that will be displayed for the button that will be shown for the created provider on the Login page. By default, it is set as New Provider and it is recommended that the text be changed to a label that is meaningful for the users when they go on the Login page. |
| Client ID |
Enter the unique public identifier provided by the authorization server. |
| Client Secret |
Enter the unique secret string that is only supposed to be known by the Web Client and the authorization server. The value set is secretive and therefore the text will be hidden after setting it. |
| Discovery Endpoint |
This endpoint is optional in the configuration screen. The intention of the endpoint is to automatically populate the other required endpoints by retrieving the information from the available metadata. After filling the Discovery Endpoint field, click the Discover button to populate the values for Authorization Endpoint, Token Endpoint and User Info Endpoint. A drop-down list will be accessible for Scopes with the available scopes for the OAuth provider. Also, the User Identifier field will contain a drop-down list with available claims that can be used. This endpoint is available via /.well-known/openid-configuration. |
| Authorization Endpoint |
This URL will be the first endpoint that users will go to authenticate themselves for the OAuth provider. This parameter also gives permission for the provider to give Web Client limited information. This endpoint is available via /authorize. |
| Token Endpoint |
This URL will get the Access Token that will be used to obtain the user's information. This endpoint is available via /token. |
| Scopes |
These values will define the permissions to be given to Web Client. The permissions given should be enough to get the user's information to do the user mapping. Typically, the scopes needed would be openid, email, offline_access, however each provider may have different scopes. For example, offline_access is added by default, but if it is not an available scope then it should be removed. |
| Redirect URLs |
The URLs defined for the Web Client and Excel Add-in are needed to be saved in the authentication server. If the authentication server needs to be redirected to another URL, change the URL in this field. For Excel Add-in, the port number defined will be the one that is available on the local machine where the Excel Add-in is installed. |
| User Info Endpoint |
The endpoint will retrieve the information of the user logging in. The information returned will be used to log into Web Client. This endpoint is available via /userinfo. |
| User Identifier |
This parameter specifies the claim that will be used to retrieve the mapped value in the Web Client user information. For example, if the User Identifier is set to email, this parameter will search for the value of email based on the User Info Endpoint and use it to compare and map the Web Client user. |
Linking Users to an OAuth 2.0 Provider
After clicking Save in the General tab, the Users tab is enabled. This tab allows users to configure the mapping between the Web Client and the newly-created OAuth provider.
A user will not be able to log in to the Web Client using the provider if:
-
They are not listed in the grid;
-
The mapping value is not correctly set for that user.
In the Users Tab, the view contains:
-
Grid to view the users that have already been added;
-
+ icon to add more users to give them the possibility to use the provider;
-
Trash icon to delete any of the existing users from the list.
| Users tab parameter | Description |
|---|---|
| Username |
Indicates the Web Client user's username that is used to log in. |
| Name |
Indicates the Web Client user's name associated to the username. |
|
Indicates the Web Client user's email associated to the username. |
|
| User identifier |
This is the only editable parameter. It specifies the value that is expected to be returned by the OAuth provider for the specified User Identifier claim under the General Tab. For example, if the claim specified for User Identifier is email, this field should specify the user's email associated to the provider. |
In the Cloud, ADMIN and ADMCA account will not be able to be mapped to an OAuth provider. If it is required to log in with an ADMCA account and then create a Normal User and set the Is Administrator flag to True.
Logging In with OAuth 2.0 in SEI
After the configuration of the OAuth provider is completed, if a provider has been activated two sections are displayed on the Login page:
-
Basic Authentication: Basic Authentication will be used when the user wishes to log in with their normal username and password or with a specified domain.
-
External Accounts: If there are OAuth providers active and/or SAML 2.0 has been configured, the user will be directed to a Login page with a button for each configured SSO.
Note that the button to log in with SAML 2.0 will only appear for the first Central Point in the list.
Within the Authentication view, you can disable the Web Client Basic Authentication form when there is an active OAuth provider setup. If this is disabled, you will only see active External Accounts.
Logging in with OAuth 2.0 in the Excel Add-in
After the configuration in the Web Client is completed, users can log into Excel Add-in using the OAuth providers.
On the Login popup of Excel Add-in, two radio buttons are available:
-
Basic Authentication: When the Basic Authentication option is selected, the user can log in with their normal username and password or with a specified domain.
-
External Accounts: For the selected Central Point, if External Accounts is selected, the drop-down list will display the available SSO that the user can log in with.
Note that signing into SAML 2.0 will only appear for the Central Point that it was configured for.