Add an authorization server - HxGN SDx - Update 61 - Help - Hexagon

Managing Smart 3D Project/As-Built with HxGN SDx

Language
English
Product
HxGN SDx
Search by Category
Help
SmartPlant Foundation / SDx Version
10
  1. Select the API tab, and click Authorization Servers.

  2. Click Add Authorization Server. Enter the following details:

    Setting

    Description

    Name

    The name of the authorization server

    Audience

    This is a GUID generated using the GUID website http://new-guid.com. The GUID must be in upper case.

    You must keep a record of the generated GUID, as it is used as the Smart API Service ID scope for the authorization server.

    Description

    The description of the authorization server.

  3. Click Save.

    Take note of the Issuer and the Audience generated, as these will be used in the web.config file.

  4. Select the Scopes tab, and click Add Scope.

  5. In the Add Scope dialog box, set the following values:

    1. Set the GUID generated in the Audience box as the Name.

    2. Add a Description.

    3. Select the Include in public metadata check box.

    Do not select the Set as default scope check box.

    1. Click Create.

  6. Click Add Scope again, and provide the following values:

    1. Type "ingr.api" as the name.

    2. Select the Include in public metadata check box, and leave the Set as default scope check box clear.

    3. Click Create.

  7. Select the Claims tab, and click Add Claim.

  8. In the Add Claim dialog box, create the following two claims:

    Name

    Value

    Ingr.session_id

    String.replace(String.replace(String.replace(Time.now(), ":", ""), "-", ""), ".", "")

    name

    String.join("",user.firstName,user.lastName)

    The ingr.session_id claim needs to have some of the special characters removed from the standard Timestamp format, as it is used when creating temporary folders in the file server. The claim value needs to be updated to be the following value in the Okta configuration: String.replace(String.replace(String.replace(Time.now(), ":", ""), "-", ""), ".", "")

    Retain the default values given in the Include in Token Type, Value Type, and Include In boxes.

  9. You can add access policy depending on the client being used. The details about adding access policy for PKCE client and Client Credentials client is given below.

Add access policy for PKCE client

  1. Select the Access Policies tab, and click Add Policy.

  2. In the Add Policy dialog box, type the Name and Description.

  3. In the Assign to box, select The following clients option and select your PKCE client and click Create Policy.

  4. Click Add Rule.

    SHARED Tip Rules allow for the configuration of the token lifetime and expiration.

  5. In the Add Rule dialog box, set the rules as shown in the following example:

    Option

    Detail

    Rule Name

    CommonUIPKCERule

    IF Grant type is

    Authorization Code

    AND User is

    Any user assigned the application

    AND Scopes requested

    Any scopes

    THEN Access token lifetime is

    1 Hour

    AND Refresh token lifetime is

    Unlimited

    BUT will expire if not used every

    7 Days

You can set the rule according to your requirements. The above table is only an example.

  1. Click Create Rule.

Add access policy for Client Credentials client

  1. Select the Access Policies tab, and click Add Policy.

  2. In the Add Policy dialog box, type the Name and Description.

  3. In the Assign to box, select The following clients option and select your Client Credentials client.

  4. Click Add Rule.

    SHARED Tip Rules allow for the configuration of the token lifetime and expiration.

  5. In the Add Rule dialog box, set the rules as the following example:

    Option

    Detail

    Rule Name

    CommonUICCIDRule

    IF Grant type is

    Client Credentials

    AND User is

    Assigned the app and a member of one of the following > Select a group.

    AND Scopes requested

    The following scopes > Select the scope

    THEN Access token lifetime is

    1 Hour

    AND Refresh token lifetime is

    Unlimited

You can set the rule according to your requirements. The above table is only an example.