In order for single sign-on (or SSO for short) to work seamlessly, identity providers need to integrate with the platform. IAM offers built-in options for connecting with external identity providers (IdPs) over OpenID Connect (OIDC) protocol.
Note: Labforward IAM is based on Keycloak and can support more options, incl. other SSO protocols. This documentation only includes tested and, therefore, officially supported options. Contact us if you would like to use another IP or protocol for identity federation.
Using an external IdP, Labforward users can use their accounts with IdP without configuring a new password for their accounts. Also, with a single account, the users can access Laboperator, Workflow Editor, Labfolder, and Labregister.
Before getting to the configuration on Labforward products, it is necessary to have the SSO configured on the Identity Provider side, such as Google, Microsoft, etc.
TABLE OF CONTENTS
- External Identity Provider Configuration
- Add an Identity Provider
- Set up Google
- Set up Microsoft
- Manage & Store IdP Tokens
- Conclusion
External Identity Provider Configuration
For external identity provider configuration, following their most updated tutorial is the preferred option.
| Provider | Tutorial |
|---|---|
| Set up SSO for your organization - Google Workspace Admin Help | |
| Microsoft | How and why apps are added to Azure AD - Microsoft Entra |
| App configuration reference: Understanding the Azure Active Directory app manifest - Microsoft Entra | |
| OpenID Connect protocol: OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft Entra |
Add an Identity Provider
Check /admin/master/console/#/realms/labforward/identity-provider-settings to see and edit the IdP settings. You can add IdPs from the top-right menu and edit the existing IdPs by clicking on them.
Set up Google
The presets are being used for the Google IdP, so Google needs to be added via
- Add Provider → Google
The configuration is as follows.
| Config | Value |
|---|---|
| Client ID | Client ID taken from Google client |
| Client Secret | Client Secret generated by Google client |
| Default Scopes | openid profile email |
| Enabled | ON |
| Trust Email | ON |
| First Login Flow | iam-first-broker-login |
| Sync Mode | import |
Set up Google IdP Mappers
The mappers for Google can be added via the Mappers tab. 3 mappers need to be defined.
The Mappers are as follows.
| Name | Sync Mode Override | Mapper Type | Social Profile JSON Field Path / User Session Attribute | User Attribute Name / User Session Attribute Value |
|---|---|---|---|---|
| hd | inherit | Attribute Importer | hd | organization |
| is_idp_user | inherit | Hardcoded User Session Attribute | idp_user | true |
| is_idp_reauth_supported | inherit | Hardcoded User Session Attribute | is_idp_reauth_supported | false |
Set up Microsoft
The presets are not used for the Microsoft IdP, due to the customizations made for re-authentication, Microsoft needs to be added via
- Add Provider → Extended OpenID Connect v1.0
| Config | Value |
|---|---|
| Display Name | Microsoft |
| Enabled | ON |
| Trust Email | ON |
| First Login Flow | iam-first-broker-login |
| Sync Mode | import |
| Authorization URL | https://login.microsoftonline.com/common/oauth2/v2.0/authorize |
| Token URL | https://login.microsoftonline.com/common/oauth2/v2.0/token |
| Disable User Info | ON |
| User Info URL | https://graph.microsoft.com/oidc/userinfo |
| Client ID | Client ID taken from Microsoft client |
| Client Secret | Client Secret generated by Microsoft client |
| Default Scopes | openid profile email |
| Prompt | unspecified |
| Validate Signatures | ON |
| Use JWKS URL | ON |
| JWKS URL | https://login.microsoftonline.com/common/discovery/v2.0/keys |
Set up Microsoft IdP Mappers
| Name | Sync Mode Override | Mapper Type | Social Profile JSON Field Path / User Session Attribute | User Attribute Name / User Session Attribute Value |
|---|---|---|---|---|
| is_idp_user | inherit | Hardcoded User Session Attribute | idp_user | true |
| is_idp_reauth_supported | inherit | Hardcoded User Session Attribute | is_idp_reauth_supported | true |
Manage & Store IdP Tokens
To manage/store the tokens issued by Google and Microsoft, refer to the specific article Receiving tokens from Upstream Identity Providers, please.
Conclusion
Once you set up the IdPs, the following options for SSO should be seen on the Login page.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article