Single Sign On with OAuth

Single Sign-On (SSO) is an auth mechanism that allows users to access multiple applications or services with a single set of login credentials. Instead of having separate login credentials for each application, SSO enables users to log in once, and then their authenticated session is shared across various applications without requiring them to log in again.

OAuth (Open Authorization) is an open standard and a widely used protocol for securely granting access to resources on behalf of a user without sharing their credentials.

For single instances of Iotellect, the default authorization scheme is a standalone operation mode in which the instance acts like an identity provider for itself, issuing and validating user tokens internally.

Using the OAuth plugin, one or more instances of Iotellect can be configured to use a shared external identity providers. As a result, users can authenticate a single time with the external provider, and then move between one of more applications provided by different instances of Iotellect without needing to re-authenticate.

The following steps to describe how to implement external authorization for enhanced security in your server setup. The basic steps are to configure an external identity provider, set up the Iotellect OAuth plugin to use the external provider, enable the plugin in the Iotellect server, and enable authorization for specific users.

Each external provider has it’s own methods for configuring an external authorization service. The following is meant as a general overview. When setting up a production system, consult the documentation of the service provider.

Configuring the Identity and Access management of Google Cloud will allow you to grant users access to Iotellect by authenticating with their Google accounts. Configuration typically follows these steps:

• Under IAM & Admin of your Google Cloud Platform control panel, Create a Project.

• Under APIs & Services, open the configuration page for OAuth Consent Screen to create an app for authorization management.

  • Create a consent screen, carefully considering whether authorization will be for users which are External or Internal to your Google Cloud Platform organization.

• Configure Scopes for the app. Scopes determine the amount of information about the user that Google will return with a successful authorization request. Wider scopes provide more information, but will require additional registration with Google before the app can be deployed.

• Add test users, if desired. Only test users will be allowed to authenticate via Google while the app is in “testing” mode.

• Publish the app.

• Under the Credentials menu item of the app's admin panel, open the Create Credentials option and select OAuth Client ID. The client ID information will be used to configure the OAuth plugin of Iotellect.

• Define the Application Type as a Web Application. Define the URIs which host the instances of Iotellect which users will be allowed to access via OAuth authorization. Create the credentials.

• Select Download JSON to save the information needed to configure the Iotellect OAuth plugin.

The downloaded document should be similar to the following:

{
  "type": "service_account",
  "project_id": "PROJECT_ID",
  "private_key_id": "KEY_ID",
  "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",
  "client_email": "SERVICE_ACCOUNT_EMAIL",
  "client_id": "CLIENT_ID",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"
}

Adding an Application on the Microsoft Identity Platform follows similar steps to register both the web service and the client applications in Azure Active Directory. Note that in this case, any user which will be authenticated must exist in both Azure Active Directory and Iotellect.

• From Azure Portal, open Azure Active Directory and select Register Application

• Specify the app name, consider what kinds of user accounts will be allowed to be authenticated by the app (External or Internal to your organization in Azure AD). An Application ID should be generated, which will be used when adding a client application.

• Define the Application Type as a Web. Define the URIs which host the instances of Iotellect which users will be allowed to access via OAuth authorization.

• Select Token Type as Token ID (Used for implicit and hybrid flows).

• Under Certificates and Secrets menu, select New Client Secret

• This will create a confirmation field email in the authorization tokens, and give the option to add additional token parameters as desired.

• Provide consent as administrator to use the desired parameters.

• Under Expose an API, and select Add a Scope to add any number of scopes in order to restrict access to data and functionality.

• Click Add a Client Application and specify the Application ID generated when the application was registered.

• Return to Application Registration, and open tab End Points in order to get endpoints for:

  • Authorization which should look something like https://login.microsoftonline.com/<app or tenant id>/oauth/v2.0/authorize

  • Access Token which should look something like https://login.microsoftonline.com/<app or tenant id>/oauth/v2.0/token

  • Logout which should look something like https://login.microsoftonline.com/<app or tenant id>/oauth/v2.0/logout

There are many options for allowing external authentication via OAuth, including a number of cloud services, various social media sites, specific identity providers Okta, Auth0, and Keycloak, and many more. Each has their own registration steps, but approximately follow the logic above.

The OAuth plugin on Iotellect, the server, and each user must be configured in order to take advantage of the external authentication method described above.

The OAuth plugin handles the interaction between Iotellect and identity providers by redirecting unauthenticated users to OAuth identity providers, processing the responses, and granting access to users who have already authenticated. The following steps should be taken:

• Ensure that the OAuth Plugin is installed in each Iotellect instance for which external access will be allowed.

• Edit the global properties of the OAuth plugin. Plugin is located under the Drivers Plugins context.

• Create a new entry and give it unique name in the Provider field, and a convenient description in the Description.

• Open the Settings field to supply the parameters of the identity provider.

In order to allow Iotellect to use OAuth as an external authentication method, the server must be set up the following way:

• Open Server Configurations, navigate to the Security tab, in the Authentication sub-tab, set the External Authentication parameter to OAuth.

• Restart the server.

Finally, each user in Iotellect can be configured to Use External Authentication. Enabling external authentication for a user means that Iotellect will allow the user to authenticate using the service indicated in the server External Authentication method.

Was this page helpful?

Tell us more

Send

Thank you!