SSO OpenID

Overview

SSO enhances security and convenience by allowing users to authenticate through external identity providers such as Microsoft, Google, or ADFS. By following this guide, administrators can ensure a seamless and secure authentication experience for users. 

Pre-requisites for SSO OpenID Configuration:    

·       Vienna Advantage Framework 6.1.2.0  

·       Vienna Advantage Base Files 2.4.1.0 

·       Vienna Advantage Market 3.1.12.0 

A. SSO OpenID Configuration Screen 

The SSO OpenID Configuration screen allows administrators to configure SSO using OpenID Connect. This setup enables users to authenticate through external identity providers such as Google, Microsoft, ADFS, or other custom providers. Once configured, the selected Provider Name and Image will be displayed on the login page, allowing users to choose their preferred authentication method. 

The screen consists of two tabs: 

1. SSO OpenID Configuration – Used for setting up SSO providers. 

2. SSO Mapping – Used for mapping claims with the configured SSO provider. 

1. SSO OpenID Configuration 

This tab allows users to configure SSO settings by filling out the following fields:

Open

Provider: A dropdown field that allows selecting an external identity provider. Available options include: 

• Google (for authentication via Google accounts) 

• Microsoft (for authentication via Microsoft accounts) 

• ADFS (Active Directory Federation Services) 

• Other (Custom identity providers supporting OpenID Connect) 

Name (Required): Define a user-friendly name for the SSO provider. The name entered here will be displayed on the login page as an option for users to select their preferred authentication method. 

Client ID (Required): The unique identifier issued by the identity provider when registering the application. 

Tenant ID (Optional): Some identity providers (such as Microsoft Azure AD) require a tenant identifier. If applicable, enter the specific tenant ID or leave it blank if not needed 

Authority (URL):The authorization server's URL that provides OpenID authentication 

Redirect (URL): Specifies the URL to which the authentication response is sent. This URL Must match the redirect URIs registered with the identity provider. 

Image: This field allows uploading an image or logo representing the identity provider. The uploaded image will be displayed on the login page before to the provider name. 

Steps to Configure SSO: 

• User needs to login with the System Administrator role. 

• Navigate to the SSO OpenID Configuration tab. 

• Select a provider from the Provider list. 

• Enter the Name to be displayed on the login page. 

• Fill in the Client ID provided by the SSO provider. 

• (Optional) Enter the Tenant ID if applicable. 

• Provide the Authority URL and Redirect URL. 

• Upload an Image (optional) to be displayed on the login button. 

• Enable or disable the Active checkbox as needed. 

• Click Save to store the configuration. 

Login Page Display: After configuring an SSO provider, the login page will display: 

• The Name entered in the configuration. 

• The Image (logo) uploaded for the provider. 

• Users will be able to select their authentication method by clicking on the provider name.

Open

Clicking on "Microsoft" will redirect users to Microsoft authentication. 

2. SSO Mapping 

 The SSO Mapping tab is used to map claims (user attributes) returned by the SSO provider to your application's user model. This ensures that user data is correctly synchronized.  

The fields are:

SSO Configuration ID: A dropdown list showing previously configured SSO providers. 

Claim Type: A dropdown list with values sourced from the Claim Type screen. Ensure the claim type matches the attribute returned by the SSO provider (e.g., email, name, or sub). 

Steps to Set Up SSO Mapping: 

• User needs to login with the System Administrator role. 

• Navigate to the SSO Mapping tab. 

• Select an SSO Configuration ID from the dropdown. 

• Choose a Claim Type from the dropdown. 

• Click Save to store the mapping. 

B. Claim Type Screen 

This window maintains a list of available claim types that are used in SSO mapping. Fields are given below: 

Code: In the Code field, enter a unique 3-digit numeric code starting from 100 (e.g., 100, 101, 102). 

Claim Type: The actual claim name used in identity tokens. Example: preferred_username (used in OpenID authentication flows to represent the preferred username of the user). 

Description: Allows entering additional details about the claim type. 

Note : We already added 22 claims which mostly in use 

Steps to Add a New Claim Type: 

• User needs to login with the System Administrator role. 

• Open the Claim Type Master window. 

• Enter a unique Code (starting from 100). 

• Enter a Claim Type. 

• (Optional) Enter a Description. 

• Click Save to store the claim type. 

C. SSO Data Mapping 

The SSO Data Mapping screen allows administrators to map user claims received from an external identity provider to existing users in the system. This ensures that users can successfully log in using their SSO credentials. 

 When a user logs in through an external identity provider (e.g., Microsoft, Google, ADFS), the system receives various claim values such as email, username, or unique identifiers. The SSO Data Mapping screen helps associate these claim values with existing users in the system to enable seamless authentication. 

The SSO Data Mapping screen consists of two tabs: 

1. Login User – Displays only those users whose Login User status is marked as "True." 

2. SSO Data Mapping – Allows administrators to map claims received from the identity provider to specific users in the system.

It includes the following fields: 

 User/Contact : The selected user will be linked with the identity provider's claim values. 

 SSO Configuration ID: Selects the SSO configuration previously set up under the SSO OpenID Configuration tab. 

Claim Type: Lists claim types that were added under the SSO Mapping Tab in the SSO OpenID    Configuration screen. 

Claim Value: Represents the actual value received from the identity provider. 

Example: If a user logs in via Google and the system receives an email claim (user@gmail.com), this field will store user@gmail.com 

Steps to Configure SSO Data Mapping 

• User needs to login with the Admin role. 

• Navigate to the SSO Data Mapping screen. 

• Select the Login User tab to verify that the user has login rights. 

• Switch to the SSO Data Mapping tab. 

• Click Add New Mapping. 

• Select a User/Contact from the dropdown. 

• Choose an SSO Configuration ID (which provider the claim is coming from). 

• Select a Claim Type (email, username, etc.). 

• Enter the Claim Value provided by the identity provider. 

• Check the Active checkbox if the mapping should be enabled. 

• Click Save to store the mapping.
  
  

How It Works During Authentication 

• When a user logs in using an external identity provider, the system retrieves claims from the provider. 

• It checks the SSO Data Mapping entries to find a matching claim value. 

• If a match is found, the user is successfully authenticated and logged in. 

• If no match is found, the user will automatically be logged out from the identity provider (Microsoft or Google), as shown in the image below.

Once this message appears on the login page, the system will redirect the user to Microsoft as shown in below image to logout after 5 seconds, or they can manually logout by clicking the cross button.