OpenID Connect integration↑
AQtive Guard can use an SSO service by interacting with an identity provider using the OpenID Connect protocol.
Setup↑
Prerequisites↑
- A running identity provider.
- Access to AQtive Guard server configuration.
Identity server setup↑
You’ll need to confirm the following in your identity server configuration:
- OpenID Connect Discovery is enabled.
- Use of the Authorization Code Flow is allowed.
- A client name and a client secret are created for AQtive Guard.
AQtive Guard setup↑
The OpenID Connect integration for AQtive Guard is configured by
setting specific environment variables. You can do this by editing the .env
file located at the root of your on-premises AQtive Guard installation.
You need to set the following variables:
OIDC_DISCOVERY_URL
: Discovery URL for automatic OpenID endpoint configuration. It typically looks likehttps://your.id_provider.com/.well-known/openid-configuration
OIDC_CLIENT_NAME
: Name assigned to AQtive Guard (i.e. the client) during your identity server configuration.OIDC_SECRET
: Secret password linked to the mentioned client.OIDC_DEFAULT_ORG_ID
: ID of the default organization for a user identified by the SSO.
Below are optional variables you can also set:
OIDC_BUTTON_LABEL
: Text displayed on the SSO login button.OIDC_USE_PING_FEDERATE
: Set totrue
if your identity provider is PingFederate.OIDC_RESOURCE
: Optional parameter indicating the role claim(s) to include in the Access Token upon successful user authentication. Set this if it’s required by your identity provider.OIDC_EXTRA_SCOPES
: List of additional scopes to request, space-separated, alongsideopenid
.OIDC_SERVER_CERT
: Path to the SSL CA bundle (a file or directory) used to verify OpenID Servers (such as/etc/web/cert.pem
). If unset or the path is invalid, it defaults to the SSL certificate the underlying OS uses.
Use↑
After configuring AQtive Guard to use OpenID Connect, you’ll notice a new Log in with OpenID button on the login page.
Selecting this button redirects you to a login page that’s managed by your identity provider. Once your credentials are validated, you’ll be redirected back to AQtive Guard.