OAuth authentication

OAuth authentication (Open Authorization) is an open standard for access delegation that enables secure, token-based authorization with granular permissions, allowing third-party applications to access user resources without exposing credentials.

Activating OAuth

Warning: When you introduce changes to the processmining.conf file, make sure that you do it correctly. For more information, see Configuration file editing guidelines.
To enable SAML2, complete the following steps:
  1. Edit the profile section in <PM_HOME>/etc/processmining.conf
  2. Replace sso_none with sso_oauth as in the following example:
         profiles: [
         "sso_oauth", # sso_none | sso_saml | sso_oauth
         ]
             
  3. Edit the `authentication` section to select `oauth` as in the following example:
    
         {{<PM_HOME>/etc/processmining.conf:
         authentication: { mode: "oauth", # ldap | basic | saml}}}
       

Minimal configuration

  1. Fill the `sso.oauth` section by configuring the parameters inside the identity provider, as in the following example:
    Note: All values inside the `idp` section are taken from the SSO (single sign-on) authentication.
    
     oauth: {
       sp.base.url: "https://<PM HOST NAME>",
       idp: {
         clientId: "<IDP CLIENT ID>",
         clientSecret: "<IDP CLIENT SECRET>",
         authorizationUri: "https://<SSO HOST NAME>/oidc/endpoint/default/authorize",
         tokenUri: "https://<SSO HOST NAME>/oidc/endpoint/default/token",
         userInfoUri: "https://<SSO HOST NAME>/oidc/endpoint/default/userinfo",
         jwkSetUri: "https://<SSO HOST NAME>/oidc/endpoint/default/jwks",
         clientName: "<IDP CLIENT NAME>",
         #userNameAttributeName: "email",
       }
     },
    
    Note:
    • If the SSO is using a non-default attribute for passing the username to the application, you can customize it by uncommenting the field userNameAttributeName and defining the new attribute value.
    • With Microsoft Entra ID kind of SSO, the custom attribute cannot be fetched using the default flow. In this case, you must use an empty userInfoUri parameter.
  2. Define the SSO redirect URL by coping the following URL inside the identity provider:
    https://app.<PM HOST NAME>/login/oauth2/code/pmoauthreg