OAuth authentication
OAuth authentication (Open Authorization) is an open standard for access delegation that enables secure, token-based authorization with granular permissions, allowing third-party applications to access user resources without exposing credentials.
Activating OAuth
Warning: When you introduce changes to the processmining.conf file, make sure
that you do it correctly. For more information, see Configuration file editing
guidelines.
To enable SAML2, complete the following steps:
- Edit the
profilesection in<PM_HOME>/etc/processmining.conf - Replace
sso_nonewithsso_oauthas in the following example:profiles: [ "sso_oauth", # sso_none | sso_saml | sso_oauth ] - Edit the `authentication` section to select `oauth` as in the following example:
{{<PM_HOME>/etc/processmining.conf: authentication: { mode: "oauth", # ldap | basic | saml}}}
Minimal configuration
- Fill the `sso.oauth` section by configuring the parameters inside the identity provider, as
in the following example: Note: All values inside the `idp` section are taken from the SSO (single sign-on) authentication.
oauth: { sp.base.url: "https://<PM HOST NAME>", idp: { clientId: "<IDP CLIENT ID>", clientSecret: "<IDP CLIENT SECRET>", authorizationUri: "https://<SSO HOST NAME>/oidc/endpoint/default/authorize", tokenUri: "https://<SSO HOST NAME>/oidc/endpoint/default/token", userInfoUri: "https://<SSO HOST NAME>/oidc/endpoint/default/userinfo", jwkSetUri: "https://<SSO HOST NAME>/oidc/endpoint/default/jwks", clientName: "<IDP CLIENT NAME>", #userNameAttributeName: "email", } },Note:- If the SSO is using a non-default attribute for passing the username to the application, you can customize it by uncommenting the field userNameAttributeName and defining the new attribute value.
- With Microsoft Entra ID kind of SSO, the custom attribute cannot be fetched using the default flow. In this case, you must use an empty userInfoUri parameter.
- Define the SSO redirect URL by coping the following URL inside the identity provider:
https://app.<PM HOST NAME>/login/oauth2/code/pmoauthreg