Skip to content

OpenID Connect integration

AQtive Guard can use an SSO service by interacting with an identity provider using the OpenID Connect protocol.

Setup

Prerequisites

  • A running identity provider.
  • Access to AQtive Guard server configuration.

Identity server setup

You’ll need to confirm the following in your identity server configuration:

  • OpenID Connect Discovery is enabled.
  • Use of the Authorization Code Flow is allowed.
  • A client name and a client secret are created for AQtive Guard.

AQtive Guard setup

The OpenID Connect integration for AQtive Guard is configured by setting specific environment variables. You can do this by editing the .env file located at the root of your on-premises AQtive Guard installation.

You need to set the following variables:

  • OIDC_DISCOVERY_URL: Discovery URL for automatic OpenID endpoint configuration. It typically looks like https://your.id_provider.com/.well-known/openid-configuration
  • OIDC_CLIENT_NAME: Name assigned to AQtive Guard (i.e. the client) during your identity server configuration.
  • OIDC_SECRET: Secret password linked to the mentioned client.
  • OIDC_DEFAULT_ORG_ID: ID of the default organization for a user identified by the SSO.

Below are optional variables you can also set:

  • OIDC_BUTTON_LABEL: Text displayed on the SSO login button.
  • OIDC_USE_PING_FEDERATE: Set to true if your identity provider is PingFederate.
  • OIDC_RESOURCE: Optional parameter indicating the role claim(s) to include in the Access Token upon successful user authentication. Set this if it’s required by your identity provider.
  • OIDC_EXTRA_SCOPES: List of additional scopes to request, space-separated, alongside openid.
  • OIDC_SERVER_CERT: Path to the SSL CA bundle (a file or directory) used to verify OpenID Servers (such as /etc/web/cert.pem). If unset or the path is invalid, it defaults to the SSL certificate the underlying OS uses.

Use

After configuring AQtive Guard to use OpenID Connect, you’ll notice a new Log in with OpenID button on the login page.

Selecting this button redirects you to a login page that’s managed by your identity provider. Once your credentials are validated, you’ll be redirected back to AQtive Guard.