Configuration > OpenID Connect

SevOne Data Insight may be configured to use OpenID Connect as an authentication mechanism.

Enable OpenID Connect

  1. Using a text editor of your choice, edit /opt/SevOne/chartconfs/di_custom.yaml file, add section oidc, and save the file.

    If /opt/SevOne/charconfs/di_custom.yaml file does not exist, please create one and add the following to it.

    Add section 'oidc'

    ## OpenId Connect authentication support
    oidc:
      enable: true
      enableRedirect: true
      authority: "https://auth.example.com/sso"
      clientId: "datainsight"
      clientSecret: "secret"
      responseType: "code"
      scope: "openid profile groups"
      groupPrefix: "tenant:"
    

    Update the property values with those specific to OpenID Connect (OIDC) authentication source.

    Property Name Value Type Example Description
    enable boolean true Whether to enable OIDC.
    enableRedirect boolean true Whether to redirect when not authenticated (usually true).
    authority string URL https://auth.example.com/sso Server’s authorization endpoint URL defined by RFC 6749. For example, "https://<SevOne NMS appliance>/sso".
    clientId string "datainsight" The client identifier of the relying party at the provider.
    clientSecret string “s2gR2wGwvnF4rikxnwxR” Client secret of the relying party at the provider.
    responseType string “id_token” Type of response. Either “code” or “id_token”.
    scope string “openid profile groups” Requested OAuth2 scopes. “groups” is only for multi-tenant.
    groupPrefix string “sevonetenant:” A group claim prefixed with this determines the tenant.
  2. Apply the change made to /opt/SevOne/chartconfs/di_custom.yaml file.

    $ sevone-cli playbook up --tags apps
    

The groupPrefix Property

The properties listed above are standard OpenID Connect configuration values, with the exception of groupPrefix. The groupPrefix property is used to help determine which tenant is used for login. If the provider provides a groups claim (as an array of strings), and the groupPrefix is defined, then the user will be logged in using the first value in the claim that has this prefix (with the prefix removed).

Example
A groups claim of [“tenant:Test1”, “example2”] will login with the tenant Test1, if the groupPrefix property is set to tenant:.

The groups claim is provided by the Single Sign-On provider, for SevOne Data Insight to work on a Single Sign-On setup with multiple tenants, there must be a groups claim that indicates which tenant the user belongs to.

Configure OIDC using SevOne NMS as a provider

  1. Ensure the SevOne NMS dex setup is working. Please refer to SevOne SAML Single Sign-On Setup Guide for details.

  2. Create a new static client for SevOne Data Insight with a unique ID. This ID will be used as the clientId when configuring SevOne Data Insight.

  3. Ensure the redirectURIs for SevOne Data Insight static client point to https://<IP address or hostname for SevOne Data Insight>/callback.

    Example: Configuration

    staticClients:
    - id: sevonedatainsight
      redirectURIs:
      - 'https://10.10.10.10/callback'
      name: 'SevOne DI'
      secret: Uhy6g7CyTALSIrwsnEYNBF60ZM0eeHQkZCqIoXBrPOoiZjJANcNZb7CJGB8wGDrE1sGbM9pdIzSJ0OL0PfyNXeg9Uih7F9FNdTaVyxMw8evFtcq4L7z71IuBJ08V4rRH
      samlInitiated:
        redirectURI: https://10.10.10.10/callback
    

OIDC with Multiple Datasources

As with all SevOne Data Insight tenants that have multiple datasources, the username extracted from the OIDC provider must have a user present on every NMS Datasource that is part of the tenant.

OIDC with non-standard Login Claims

  1. If the Single Sign-On provider does not have the user's login stored under name, using a text editor of your choice, edit /opt/SevOne/chartconfs/di_custom.yaml to configure environment variable OIDC_NAME_CLAIM, to allow SevOne Data Insight to use another field in the JWT to determine the user's login name.

    If /opt/SevOne/chartconfs/di_custom.yaml file does not exist, please create one and add the following to it.

    Example: Configuration

    graphql:
      env:
        OIDC_NAME_CLAIM: email
    

    Save /opt/SevOne/chartconfs/di_custom.yaml file.

  2. Apply the change made to /opt/SevOne/chartconfs/di_custom.yaml file.

    $ sevone-cli playbook up --tags apps