|
| 1 | +# SSO setup in OS2display |
| 2 | + |
| 3 | +This documentation will guide you through the setup of Single Sign-On (hereinafter SSO) in OS2display. |
| 4 | + |
| 5 | +OS2display supports SSO via OpenID Connect, which both Azure and OS2faktor can use. You will find guides for setup in both Azure and OS2faktor further down in this documentation. |
| 6 | + |
| 7 | +This guide consists of these topics |
| 8 | +* [Setup in OS2display](sso_setup.md#setup_in_os2display) |
| 9 | +* [Setup in Azure](sso_setup.md#setup_in_azure) |
| 10 | +* [Setup in OS2faktor](sso_setup.md#setup_in_os2faktor) |
| 11 | + |
| 12 | +<a name="setup_in_os2display"></a> |
| 13 | +## Setup in OS2display |
| 14 | + |
| 15 | +In the file "**.env.local**", which is located in the "**/var/www/DOMAIN-TO-OS2DISPLAY/public/**" folder, the following variables must be filled in with values that you get from either Azure or OS2faktor \- depending on which of these solutions you choose to use to create SSO. |
| 16 | + |
| 17 | +* **INTERNAL\_OIDC\_METADATA\_URL** |
| 18 | + This is filled in with the link to metadata. |
| 19 | +* **INTERNAL\_OIDC\_CLIENT\_ID** |
| 20 | + This is filled in with the client id. |
| 21 | +* **INTERNAL\_OIDC\_CLIENT\_SECRET** |
| 22 | + This is filled in with the client secret. |
| 23 | +* **INTERNAL\_OIDC\_REDIRECT\_URI** |
| 24 | + This is filled in with the link to the OS2display solution (incl. "/admin"). Example: https://display.bellcom.dk/admin |
| 25 | +* **INTERNAL\_OIDC\_LEEWAY** |
| 26 | + This is filled in with the number of minutes that a successful login lasts. Default is 30. |
| 27 | +* **INTERNAL\_OIDC\_CLAIM\_NAME** |
| 28 | + This is filled with the name of the claim where the user's name appears. Note, this must be a string - not an array! |
| 29 | +* **INTERNAL\_OIDC\_CLAIM\_EMAIL** |
| 30 | + This is filled with the name of the claim where the user's email address appears. Note, this must be a string - not an array! |
| 31 | +* **INTERNAL\_OIDC\_CLAIM\_GROUPS** |
| 32 | + This is filled with the name of the claim where the user's rights appear. Note, this must be an array - not a string! |
| 33 | + |
| 34 | +### Rights/Roles in OS2display |
| 35 | +The value(s) (there can be more than one) in INTERNAL\_OIDC\_CLAIM\_GROUPS must end with either "Admin" or "Redaktoer", as this value is used to determine whether the user should be granted administrator rights (Admin) or editor rights (Redaktoer). |
| 36 | + |
| 37 | +So if a user should have access to e.g. the department (or tenant, as it is called in OS2display) called "Library", then INTERNAL\_OIDC\_CLAIM\_GROUPS must have a value that is either "LibraryAdmin" or "LibraryRedaktoer" - depending on which role the user should have. |
| 38 | + |
| 39 | +If a user needs access to multiple departments/tenants, the different departments/tenants and roles are provided, just in the same array. It’s possible to be an administrator in one department/tenant and an editor in another. |
| 40 | + |
| 41 | +If a tenant has not been created and a user who has this tenant logs in, it will be created at the first login. |
| 42 | + |
| 43 | +It may happen that when you log in and return to OS2display, you are greeted by a completely white screen instead of the option to choose between departments/tenants. We have not been able to provoke this error with a specific action. We have only seen this if a correction has been made to a user (e.g. if a new right is assigned or removed - but not every time one of the parts is done). This can be resolved by pressing CTRL \+ F5. |
| 44 | + |
| 45 | +<a name="setup_in_azure"></a> |
| 46 | +## Setup in Azure |
| 47 | + |
| 48 | +This guide describes how to set up the OS2display service provider in Azure. The guide is aimed at IT administrators who need to ensure the correct configuration of the integration between OS2display and Azure. |
| 49 | + |
| 50 | +### Configuring new App Registration |
| 51 | + |
| 52 | +1. Log in to Entra ID, go to **App Registrations** and press **New registration**. [Direct link](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType~/null/sourceType/Microsoft_AAD_IAM) |
| 53 | +  |
| 54 | +2. Fill out the form as in the image and register the application. |
| 55 | +  |
| 56 | +3. You will be automatically redirected to the settings for the new App Registration. |
| 57 | + Under **Authentication**, specify which URIs are allowed to exchange information with and issue tokens to. Click **Add a platform**, select **Web** and add URIs for test and production environments. |
| 58 | + Typically, this will be https://os2display.\[domainname\]/admin and https://test-os2display.\[domainname\]/admin. |
| 59 | +  |
| 60 | + For testing and debugging, [https://openidconnect.net/callback](https://openidconnect.net/callback) can also be added. This allows you to test SSO with the tool at [https://openidconnect.net/](https://openidconnect.net/). |
| 61 | +  |
| 62 | +4. Under **API permissions**, the following permissions are granted. Tap on **Microsoft Graph** to grant permissions. Remember to **Grant admin consent** afterwards. |
| 63 | +  |
| 64 | +5. Under **Token Configuration**, select which user information is sent in the token. |
| 65 | +  |
| 66 | +6. Under **App roles**, add the roles that users should be able to be assigned. See the section "Rights/Roles in OS2display" further up for an explanation of how the values should be. |
| 67 | + In the example below, there are three areas with two permission levels, called roles, for each area. The value in **Value** must be as agreed. **Display Name** and **Description** can be filled in optionally. |
| 68 | +  |
| 69 | +7. Under **Certificates & secrets**, create a **Client secret** with an expiration of 2 years. Remember to write down its **Value**, as it will not appear again. |
| 70 | +  |
| 71 | +8. Now the different values must be found and inserted into OS2display. See the section "Setup in OS2display" further up to see where to find the file. |
| 72 | +  |
| 73 | + * Under **Overview**, find **Application (client) ID** and insert this value into "INTERNAL\_OIDC\_CLIENT\_ID". |
| 74 | + * Click on **Endpoints**, and there you will find the value from the **OpenID Connect metadata document** and insert this value into "INTERNAL\_OIDC\_METADATA\_URL". |
| 75 | + * The **Value** you noted down in step 7 should be inserted into "INTERNAL\_OIDC\_CLIENT\_SECRET". |
| 76 | + |
| 77 | +### Assigning rights |
| 78 | +The OS2display application consists of two parts: App Registration and Enterprise Application. The previous points have all been in **App Registration**. Assigning rights to users/security groups takes place from the associated **Enterprise Application**. |
| 79 | + |
| 80 | +If you are still in the **Overview** image from point 8 in the previous part of the guide, you can click on the OS2display link next to **Managed application in local directory**, and you will be taken to the **Enterprise Application**. |
| 81 | + |
| 82 | +Alternatively, you can search for the OS2display Enterprise Application from [this link](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview). |
| 83 | + |
| 84 | +Under **Users and groups**, rights to OS2display, which are here called roles, can be assigned and removed. The role can be assigned directly to the user or to a security group. |
| 85 | + |
| 86 | +If a user is to have rights to multiple areas in OS2display, the user must be assigned a corresponding role multiple times and will subsequently appear in the list multiple times. |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | +<a name="setup_in_os2faktor"></a> |
| 91 | +## Setup in OS2faktor |
| 92 | + |
| 93 | +This guide describes how to set up the service provider OS2display in OS2faktor. The guide is aimed at IT administrators who must ensure correct configuration of the integration between OS2display and OS2faktor. |
| 94 | + |
| 95 | +Before starting the setup, the following prerequisites must be met: |
| 96 | + |
| 97 | +* Administrator access to OS2faktor |
| 98 | +* Administrator access to OS2rollekatalog |
| 99 | + |
| 100 | +### Setup |
| 101 | + |
| 102 | +1. **Create service provider in OS2faktor** |
| 103 | + * Log in to the OS2faktor administration panel. |
| 104 | + * Navigate to **Tjenesteudbydere**. |
| 105 | + * Click **Opret ny tjenesteudbyder**. |
| 106 | + * Enter information: |
| 107 | + * **Navn**: \<municipality name\>-OS2display |
| 108 | + * **Angiv subjekt**: upn |
| 109 | + * **Klienttype**: Confidential client |
| 110 | + * **Redirect URI**: Enter the address that OS2display uses for authentication. Typically, this will be https://os2display.\[domainname\]/admin and https://test-os2display.\[domainname\]/admin |
| 111 | + * Click **Save**, and note the *Client ID* and *Client Secret* (will be used later). |
| 112 | +2. **Find and note metadata link** |
| 113 | + * Navigate to **Tjenesteudbydere** in OS2faktor, and find metadata information (URL to OpenID Connect metadata). |
| 114 | + * Note the link (will be used later). |
| 115 | +3. **Claims setup** |
| 116 | + * Go to **Claims-konfiguration for OS2display**. |
| 117 | + * Create the following Claims: |
| 118 | + * **email**: Set up personal claim type, select attribute email, and check send only one value. Enter the claim name email. |
| 119 | + * **name**: Set up personal claim type, select attribute name, and check send only one value. Enter the claim name name. |
| 120 | + * **roles**: Set up OS2rolecatalog claim type, select operation all assigned system roles, and specify OS2display as argument (note this argument as it is used in the role catalog). Enter the claim name roles. |
| 121 | + * Click **Save** and verify the setup. |
| 122 | +4. **Security groups setup in Rollekataloget** |
| 123 | + * Go to **Rollekataloget**. |
| 124 | + * Create *SAML integration*. |
| 125 | + * Name the IT system (e.g. OS2display). |
| 126 | + * Enter contact email. |
| 127 | + * Enter the argument you entered in your claim for *roles* in OS2faktor, e.g. OS2display as system ID. |
| 128 | + * Add SAML roles, and enter a unique technical ID per SAML role. |
| 129 | +5. **Insert the values in OS2dislay** |
| 130 | + As written under "Setup in OS2display" further up, the values must be inserted into OS2display. |
| 131 | + * The link to metadata must be inserted at "INTERNAL\_OIDC\_METADATA\_URL". |
| 132 | + * Client ID must be inserted at "INTERNAL\_OIDC\_CLIENT\_ID". |
| 133 | + * Client Secret must be inserted at "INTERNAL\_OIDC\_CLIENT\_SECRET". |
| 134 | + * The names of the claims created under point 3 must be inserted at "INTERNAL\_OIDC\_CLAIM\_NAME", "INTERNAL\_OIDC\_CLAIM\_EMAIL" and "INTERNAL\_OIDC\_CLAIM\_GROUPS". |
| 135 | +6. **Testing and Validation** |
| 136 | + After setup, the integration should be tested: |
| 137 | + * Log in to OS2display via OS2faktor and confirm that users can authenticate. |
| 138 | + * Check the event log in OS2faktor to see the login token (should match expected claims). |
| 139 | +  |
| 140 | + * Check that correct user information is transferred (claims). |
| 141 | + * Confirm access control via security groups. |
| 142 | +7. **Troubleshooting** |
| 143 | + If the integration does not work as expected, the following should be checked: |
| 144 | + * Is the metadata link correctly sent to the supplier? |
| 145 | + * Are the *Client ID* and *Client Secret* correctly configured? |
| 146 | + * Are the claims correctly set up in OS2faktor? |
| 147 | + * Are the users correctly assigned to the relevant security Groups? |
| 148 | + |
| 149 | +The setup of OS2display in OS2faktor is now complete. It is recommended to document the configuration internally and ensure that any adjustments are made during system updates. |
0 commit comments