Setting up Identity Providers in IAM (OpenID)

Modified on Wed, 26 Jul, 2023 at 12:06 PM

TABLE OF CONTENTS

Introduction

IAM offers built-in options for connecting with external identity providers (IdPs) over OpenID Connect (OIDC) protocol.


Labforward IAM is based on Keycloak and can support more options, incl. other SSO protocols. This documentation only includes tested and, therefore, officially supported options. Contact us if you would like to use another IdP or protocol for identity federation.


Using an external IdP, Labforward users can use their accounts with IdP without configuring a new password for their accounts. Also, with a single account, the users are able to access Laboperator, Workflow Editor, Labfolder, and Labregister.


Before getting to the configuration on Labforward products, it is necessary to have the SSO configured on the Identity Provider side, such as Google, Microsoft, etc.


External Identity Provider Configuration

For that, following their most updated tutorial is the preferred option:


Add an Identity Provider

In the admin panel realm labforward, visit the menu “Identity providers” to see and edit the IdP settings. You can add IdPs from the top-right menu and edit the existing IdPs by clicking on them.


Set up Google

The presets are being used for Google IdP, so Google needs to be added via

  • Add Provider → Google

The configuration is as follows:


Config

Value

Client ID

Client ID taken from Google client

Client Secret

Client Secret generated by Google client

Default Scopes

openid profile email

Enabled

ON

Trust Email

ON

First Login Flow

iam-first-broker-login

Sync Mode

Import as default or Force, when desired to keep profiled synced with IdP


Sync Mode Options

When Sync Mode is set to Import, the user data (first and last names and email) will be imported only once from the Identity Provider into IAM.


In case it’s desired that the IAM profile is always in sync with the remote Identity Provider, this should be set to Force.


Set up Google IdP Mappers

The mappers for Google can be added via the Mappers tab. 3 mappers need to be defined:


The mappers are as follows:


Name

Sync Mode Override

Mapper Type

Social Profile JSON Field Path / 
User Session Attribute

User Attribute Name / 
User Session Attribute Value

hd

inherit

Attribute Importer

hd

organization

is_idp_user

inherit

Hardcoded User Session Attribute

idp_user

true

is_idp_reauth_supported

inherit

Hardcoded User Session Attribute

is_idp_reauth_supported

false


Set up Microsoft

The presets are not used for the Microsoft IdP, due to the customizations made for re-authentication, Microsoft needs to be added via

  • Add Provider → Extended OpenID Connect v1.0

Config

Value

Display Name

Microsoft

Enabled

ON

Trust Email

ON

First Login Flow

iam-first-broker-login

Sync Mode

import

Authorization URL

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Token URL

https://login.microsoftonline.com/common/oauth2/v2.0/token

Disable User Info

ON

User Info URL

https://graph.microsoft.com/oidc/userinfo

Client ID

Client ID taken from Microsoft client

Client Secret

Client Secret generated by Microsoft client

Default Scopes

openid profile email

Prompt

unspecified

Validate Signatures

ON

Use JWKS URL

ON

JWKS URL

https://login.microsoftonline.com/common/discovery/v2.0/keys

Sync mode 

Import as default or Force, when desired to keep profiled synced with IdP


Sync Mode Options

When Sync Mode is set to Import, the user data (first and last names and email) will be imported only once from the Identity Provider into IAM.


In case it’s desired that the IAM profile is always in sync with the remote Identity Provider, this should be set to Force

Set up Microsoft IdP Mappers


Name

Sync Mode Override

Mapper Type

Social Profile JSON Field Path / 
User Session Attribute

User Attribute Name / 
User Session Attribute Value

is_idp_user

inherit

Hardcoded User Session Attribute

idp_user

true

is_idp_reauth_supported

inherit

Hardcoded User Session Attribute

is_idp_reauth_supported

true


Look of IdP Google And Microsoft Activated

Once you set up the IdPs, the following options for SSO should be seen on the Login page:


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article