OpenID Connect

Edit online

SevOne Data Insight may be configured to use OpenID Connect as an authentication mechanism.

Enable OpenID Connect

Edit online
  1. Using a text editor of your choice, edit the config file based on the SevOne Data Insight version as shown in the table in section find config file, add section oidc, and save the file.
    Important: If the config file does not exist, please create one and add the following to it.

    For SDI 6.8.x and below, add section 'oidc'

    
## OpenId Connect authentication support
oidc:
  enable: true
  enableRedirect: true
  authority: "https://auth.example.com/sso"
  clientId: "datainsight"
  clientSecret: "secret"

    For SDI 7.0.x and above, add section 'oidc'

    
oidc = {
  enable = true
  enable_redirect = true
  authority = "https://auth.example.com/sso"
  client_id = "datainsight"
  client_secret = "secret"
  response_type = "code"
  scope = "openid profile groups"
  group_prefix = "tenant:"
}
    Important: Update the property values with those specific to OpenID Connect (OIDC) authentication source.
    Property Name Value Type Example Description
    enable boolean true Whether to enable OIDC.
    enableRedirect boolean true Whether to redirect when not authenticated (usually true).
    authority string URL https://auth.example.com/sso Server’s authorization endpoint URL defined by RFC 6749. For example, "https://>;SevOne NMS appliance>/sso".
    clientId string "datainsight" The client identifier of the relying party at the provider.
    clientSecret string “s2gR2wGwvnF4rikxnwxR” Client secret of the relying party at the provider.
    responseType string “id_token” Type of response. Either “code” or “id_token”.
    scope string “openid profile groups” Requested OAuth2 scopes. “groups” is only for multi-tenant.
    groupPrefix string “sevonetenant:” A group claim prefixed with this determines the tenant.
  2. Apply the change made to the config file.
    $ sevone-cli playbook up --tags apps

The groupPrefix Property

Edit online

The properties listed above are standard OpenID Connect configuration values, with the exception of groupPrefix. The groupPrefix property is used to help determine which tenant is used for login. If the provider provides a groups claim (as an array of strings), and the groupPrefix is defined, then the user will be logged in using the first value in the claim that has this prefix (with the prefix removed).

Example

A groups claim of [“tenant:Test1”, “example2”] will login with the tenant Test1, if the groupPrefix property is set to tenant:.

Important: The groups claim is provided by the Single Sign-On provider, for SevOne Data Insight to work on a Single Sign-On setup with multiple tenants, there must be a groups claim that indicates which tenant the user belongs to.

Configure OIDC using SevOne NMS as a provider

Edit online
  1. Ensure the SevOne NMS dex setup is working. Please refer to SevOne SAML Single Sign-On Setup Guide for details.
  2. Create a new static client for SevOne Data Insight with a unique ID. This ID will be used as the clientId when configuring SevOne Data Insight.
  3. Ensure the redirectURIs for SevOne Data Insight static client point to https://<IP address or hostname for SevOne Data Insight>/callback.

    Example: Configuration 

    staticClients:
- id: sevonedatainsight
  redirectURIs:
  - 'https://10.10.10.10/callback'
  name: 'SevOne DI'
  secret: Uhy6g7CyTALSIrwsnEYNBF60ZM0eeHQkZCqIoXBrPOoiZjJANcNZb7CJGB8wGDrE1sGbM9pdIzSJ0OL0PfyNXeg9Uih7F9FNdTaVyxMw8evFtcq4L7z71IuBJ08V4rRH
  samlInitiated:
    redirectURI: https://10.10.10.10/callback

OIDC with Multiple Datasources

Edit online

As with all SevOne Data Insight tenants that have multiple datasources, the username extracted from the OIDC provider must have a user present on every NMS Datasource that is part of the tenant.

OIDC with non-standard Login Claims

Edit online
  1. If the Single Sign-On provider does not have the user's login stored under name, using a text editor of your choice, edit the config file based on the SevOne Data Insight version as shown in the table in section find config file to configure environment variable OIDC_NAME_CLAIM, to allow SevOne Data Insight to use another field in the JWT to determine the user's login name.
    Important: If the config file does not exist, please create one and add the following to it.

    For SDI 6.8.x and below, Example: Configuration

    
graphql:
  env:
    OIDC_NAME_CLAIM: email

    For SDI 7.0.x and above, Example: Configuration

    
graphql = {
  env = {
    "OIDC_NAME_CLAIM" = "email"
  }
}

    Save the config file.

  2. Apply the change made to the config file. 
    $ sevone-cli playbook up --tags apps