Configuring Single Sign-On authentication - HxGN EAM - 12.0.1 - Help - Hexagon

HxGN EAM Help
Language
English
Product
HxGN EAM
Search by Category
Help
HxGN EAM Version
12.0.1

The SSO Configuration screen supports Single Sign-On authentication by enabling the configuration of SSO capabilities in EAM. The fields on this screen are completely optional and include configuration of both WS-Trust and OIDC using the parameters populated on this screen. You may choose to configure both WS-Trust and OIDC.

The WS-Trust settings populated on this screen will be the default settings to enable tenant-specific configuration and will override any customer information stored in YAML files. While on-premise customers can use this screen to store WS-Trust configuration, this screen will be used in the cloud to facilitate tenant-specific WS-Trust settings. This screen also supports OIDC configuration in place of using install parameters and will incorporate validation logic to ensure all required fields for OIDC authentication are populated.

  1. Select Administration > System Configuration > SSO Configuration.

  2. In the OIDC Configuration section, specify this information:

    1. Issuer – Enter the issuer of the OpenID Connect ID token.

    2. Client ID – Enter the client ID of the OpenID Connect.

    3. JWKS URI – Enter the URI the client can access to get information on the JWK keys used by Google.

    4. Optionally, select the Password Grant check box to authenticate the username and password for users.

      1. Client Password – Enter the OpenID Connect client password.

      2. Scope – Enter the OpenID Connect scope to be passed in the request sent to the token end point.

      3. Token End Point – Enter the OpenID Connect token end point.

    5. Authentication Endpoint – Enter the endpoint authentication to ensure that only authorized devices can connect.

    6. End Session Endpoint – Enter the endpoint to redirect the user to after the session ends.

  3. In the OIDC Claims section, specify this information:

    1. Identity Claim – Enter the name of the OpenID Connect ID token claim containing the unique identity information of the user.

    2. UPN Claim – Enter the name of the OpenID Connect ID token claim containing the displayable user information (UPN/Identity 2).

    3. Role Claim – Enter the name of the OpenID Connect ID token claim containing the role information.

    4. Tenant Claim – Enter the name of the OpenID Connect ID token claim whose value contains the tenant information.

    5. Email Claim – Enter the name of the OpenID Connect ID token claim containing the email address.

    6. User Description Claim Enter the name of the OpenID Connect ID token claim containing the user description.

  4. In the WS-Trust Configuration section, specify this information:

    1. Enable WS-Trust – Optionally, select this check box to enable the WS-Trust protocol configuration.

      WS-Trust is available when using ADFS or Ping Federate as the IDP, but not with Azure AD or Okta.

      1. Identity Provider Type – Select PF or ADSF to choose between Ping Federate or Active Directory server to indicate the user authentication that allows SSO to access other websites.

      2. STS Endpoint – Enter the security token service connection end point for credentials.

      3. MEX Address – Enter the Message Exchange Address using the ADFS console.

    2. STS Policy ID – Should be left blank when connecting to ADFS.

    3. Optionally, select the Quality User check box to set the userid to <tenant>~<userid> which is intended for backwards compatibility.

    4. Optionally, select the Transmit Tenant check box to set the userid to <customerid>_<userid> which is intended for backwards compatibility.

  5. Click Save Record.