Configuration > OpenID Connect
SevOne Data Insight may be configured to use OpenID Connect as an authentication mechanism.
- Enable OpenID Connect
- The groupPrefix Property
- Configure OIDC using SevOne NMS as a provider
- OIDC with Multiple Datasources
- OIDC with non-standard Login Claims
Enable OpenID Connect
-
Using a text editor of your choice, edit /opt/SevOne/chartconfs/di_custom.yaml file, add section oidc, and save the file.
If /opt/SevOne/charconfs/di_custom.yaml file does not exist, please create one and add the following to it.
Add section 'oidc'
## OpenId Connect authentication support oidc: enable: true enableRedirect: true authority: "https://auth.example.com/sso" clientId: "datainsight" clientSecret: "secret" responseType: "code" scope: "openid profile groups" groupPrefix: "tenant:"
Update the property values with those specific to OpenID Connect (OIDC) authentication source.
Property Name Value Type Example Description enable boolean true Whether to enable OIDC. enableRedirect boolean true Whether to redirect when not authenticated (usually true). authority string URL https://auth.example.com/sso Server’s authorization endpoint URL defined by RFC 6749. For example, "https://<SevOne NMS appliance>/sso". clientId string "datainsight" The client identifier of the relying party at the provider. clientSecret string “s2gR2wGwvnF4rikxnwxR” Client secret of the relying party at the provider. responseType string “id_token” Type of response. Either “code” or “id_token”. scope string “openid profile groups” Requested OAuth2 scopes. “groups” is only for multi-tenant. groupPrefix string “sevonetenant:” A group claim prefixed with this determines the tenant. -
Apply the change made to /opt/SevOne/chartconfs/di_custom.yaml file.
$ sevone-cli playbook up --tags apps
The groupPrefix Property
The properties listed above are standard OpenID Connect configuration values, with the exception of groupPrefix. The groupPrefix property is used to help determine which tenant is used for login. If the provider provides a groups claim (as an array of strings), and the groupPrefix is defined, then the user will be logged in using the first value in the claim that has this prefix (with the prefix removed).
Example
A groups claim of [“tenant:Test1”, “example2”] will login with the tenant Test1, if the groupPrefix property is set to tenant:.
Configure OIDC using SevOne NMS as a provider
-
Ensure the SevOne NMS dex setup is working. Please refer to SevOne SAML Single Sign-On Setup Guide for details.
-
Create a new static client for SevOne Data Insight with a unique ID. This ID will be used as the clientId when configuring SevOne Data Insight.
-
Ensure the redirectURIs for SevOne Data Insight static client point to https://<IP address or hostname for SevOne Data Insight>/callback.
Example: Configuration
staticClients: - id: sevonedatainsight redirectURIs: - 'https://10.10.10.10/callback' name: 'SevOne DI' secret: Uhy6g7CyTALSIrwsnEYNBF60ZM0eeHQkZCqIoXBrPOoiZjJANcNZb7CJGB8wGDrE1sGbM9pdIzSJ0OL0PfyNXeg9Uih7F9FNdTaVyxMw8evFtcq4L7z71IuBJ08V4rRH samlInitiated: redirectURI: https://10.10.10.10/callback
OIDC with Multiple Datasources
As with all SevOne Data Insight tenants that have multiple datasources, the username extracted from the OIDC provider must have a user present on every NMS Datasource that is part of the tenant.
OIDC with non-standard Login Claims
-
If the Single Sign-On provider does not have the user's login stored under name, using a text editor of your choice, edit /opt/SevOne/chartconfs/di_custom.yaml to configure environment variable OIDC_NAME_CLAIM, to allow SevOne Data Insight to use another field in the JWT to determine the user's login name.
If /opt/SevOne/chartconfs/di_custom.yaml file does not exist, please create one and add the following to it.Example: Configuration
graphql: env: OIDC_NAME_CLAIM: email
Save /opt/SevOne/chartconfs/di_custom.yaml file.
-
Apply the change made to /opt/SevOne/chartconfs/di_custom.yaml file.
$ sevone-cli playbook up --tags apps