OpenID Connect

Edit online

SevOne Data Insight may be configured to use OpenID Connect as an authentication mechanism.

Enable OpenID Connect

Edit online
  1. Using a text editor of your choice, edit /opt/SevOne/chartconfs/di_custom.yaml file, add section oidc, and save the file.
    Important: If /opt/SevOne/charconfs/di_custom.yaml file does not exist, please create one and add the following to it.

    Add section 'oidc' 

    ## OpenId Connect authentication support
oidc:
  enable: true
  enableRedirect: true
  authority: "https://auth.example.com/sso"
  clientId: "datainsight"
  clientSecret: "secret"
    Important: Update the property values with those specific to OpenID Connect (OIDC) authentication source.
    Property Name Value Type Example Default Description
    enable boolean true false Whether to enable OIDC.
    enableRedirect boolean true false Whether to redirect when not authenticated (usually true).
    enableSignout boolean true false Redirect the user to the OIDC provider's end_session_endpoint when signing out of Data Insight.
    Default: false
    authority string URL https://auth.example.com/sso   (required) OIDC discovery URL defined by RFC 8414.
    For example, "https://<SevOne NMS appliance>/sso".
    clientId string "datainsight"   Required: The client identifier of the relying party at the provider.
    clientSecret string “s2gR2wGwvnF4rikxnwxR”   Client secret of the relying party at the provider. Optional if response_type = "id_token"
    responseType enumeration “code” "code" Type of response. Either “code” for Authorization Code flow or “id_token” for Implicit flow defined in RFC 6749.
    scope string “openid profile groups” “openid profile groups” Requested OAuth2 scopes. “groups” is only for multi-tenant.
    groupPrefix string “sevonetenant:”   (optional with a single tenant) A group claim prefixed with this determines the tenant.
    encryption enumeration "A256GCM"   (optional) ID Token Encryption Content Encryption Algorithm. Should match the algorithm used by the OIDC provider to encrypt id_token. Options are,
    • A128CBC-HS256
    • A192CBC-HS384
    • A256CBC-HS512
    • A128GCM
    • A192GCM
    • A256GCM
  2. Apply the change made to /opt/SevOne/chartconfs/di_custom.yaml file. 
    $ sevone-cli playbook up --tags apps

The groupPrefix Property

Edit online

The properties listed above are standard OpenID Connect configuration values, with the exception of groupPrefix. The groupPrefix property is used to help determine which tenant is used for login. If the provider provides a groups claim (as an array of strings), and the groupPrefix is defined, then the user will be logged in using the first value in the claim that has this prefix (with the prefix removed).

Example
A groups claim of [“tenant:Test1”, “example2”] will login with the tenant Test1, if the groupPrefix property is set to tenant:.

Important: The groups claim is provided by the Single Sign-On provider, for SevOne Data Insight to work on a Single Sign-On setup with multiple tenants, there must be a groups claim that indicates which tenant the user belongs to.

Configure OIDC using SevOne NMS as a provider

Edit online
  1. Ensure the SevOne NMS dex setup is working. Please refer to SevOne SAML Single Sign-On Setup Guide for details.
  2. Create a new static client for SevOne Data Insight with a unique ID. This ID will be used as the clientId when configuring SevOne Data Insight.
  3. Ensure the redirectURIs for SevOne Data Insight static client point to https://<IP address or hostname for SevOne Data Insight>/callback.

    Example: Configuration 

    staticClients:
- id: sevonedatainsight
  redirectURIs:
  - 'https://10.10.10.10/callback'
  name: 'SevOne DI'
  secret: Uhy6g7CyTALSIrwsnEYNBF60ZM0eeHQkZCqIoXBrPOoiZjJANcNZb7CJGB8wGDrE1sGbM9pdIzSJ0OL0PfyNXeg9Uih7F9FNdTaVyxMw8evFtcq4L7z71IuBJ08V4rRH
  samlInitiated:
    redirectURI: https://10.10.10.10/callback

OIDC with Multiple Datasources

Edit online

As with all SevOne Data Insight tenants that have multiple datasources, the username extracted from the OIDC provider must have a user present on every NMS Datasource that is part of the tenant.

OIDC with non-standard Login Claims

Edit online
  1. If the Single Sign-On provider does not have the user's login stored under name, using a text editor of your choice, edit /opt/SevOne/chartconfs/di_custom.yaml to configure environment variable OIDC_NAME_CLAIM, to allow SevOne Data Insight to use another field in the JWT to determine the user's login name.
    Important: If /opt/SevOne/chartconfs/di_custom.yaml file does not exist, please create one and add the following to it.

    Example: Configuration 

    graphql:
  env:
    OIDC_NAME_CLAIM: email

    Save /opt/SevOne/chartconfs/di_custom.yaml file.

  2. Apply the change made to /opt/SevOne/chartconfs/di_custom.yaml file.
    $ sevone-cli playbook up --tags apps

ID Token Encryption

Edit online
  1. If desired, for id_token to be encrypted when retrieved by SevOne Data Insight, the OIDC provider must be configured with SevOne Data Insight's encryption public key which can be retrieved from /api/v1/oidc/.well-known/jwks.json. There will be two JSON web keys in the JSON Web Key Set. The one with "use": "enc" is the one which should be used for encryption.
  2. The OIDC provider client must agree with SevOne Data Insight's configuration for ID Token Encryption Key Management Algorithm and ID Token Encryption Content Encryption Algorithm.
    1. ID Token Encryption Key Management Algorithm by default is RSA-OAEP
    2. ID Token Encryption Content Encryption Algorithm must be provided by the administrator to inform SevOne Data Insight that ID Token Encryption is configured by the oidc.encryption variable as defined in Enable OpenID Connect above.