Avendoo® online documentation

SSO and import configuration

Under SSO and import configuration you can

  • create Single Sign-On configurations for SSO per OpenID-Connect. The wizard SSO and import configuration supports creating and later on adjusting the configuration for SSO.
    Note

    You have to maintain SSO configurations per SAML2 still via the system setting “saml.configuration”.

  • create, up-date, lock or/and delete also user accounts via SCIM 2.0. You do the required configuration settings also in the wizard SSO and import configuration.
  • also create, up-date and lock user accounts in connection with Avendoo® registration codes by using OpenID Connect.
Note

The former system setting “scim2.configuration” is transferred into this function since Release 17.38 and is also enhanced.

You find information about the login via Single Sign-On (SSO) on the page “Login via Single Sign-On“.

You can filter by the following criteria: Title, Prefix and Status (All, Inactive or Active).

There are the mass processing functions Copy and Delete for SSO and import configuration. More information about this function you find under SSO and import configuration: Mass processing functions.

The following functions are available via the context menu of the corresponding SSO and import configuration title.

To create a new SSO and import configuration, choose Administration → SSO and import configuration → New SSO and import configuration. The assistant for SSO and import configuration opens.

Master data

Title

Specify a title here for this configuration. This field is mandatory.

Prefix

Specify the prefix here that uniquely identifies this configuration. As in the system setting, this is used to enable several configurations of the same type. It must be alphanumeric and a maximum of 64 characters long, and must not contain any spaces.

This field is also mandatory.

This entered prefix is also used for uniquely definition of the SSO configuration in the Client wizard for example. Therefore you enter the value of the prefix of a SSO configuration in the fied Identity Provider Id on the tab Options in the Client wizard.

You can also use the prefix to get a SSO Link in the Avendoo® system, in the sharepoint or on a intranet page for example.

Example for a SSO link per OpenID Connet with the prefix “OpenID1Praefix”:
“https://URLAvendooCustomersystem.de/l/openid/oidc?sso=OpenID1Praefix”

Configuration type

Select here which configuration type you want to edit.  At this moment you can select „SCIM 2.0“ or “OpenID Connect”.

Metadata

Note

The Metadata are only for information. They are not processed in Avendoo®.

Valid from

Enter from which date the object is valid.

Valid until

Enter until which date the object is valid.

Version

Enter which version of the object is it.

Note

Enter notes for the object.

Configuration for SCIM 2.0

Authentification

You can retrieve the bearer token for authentication here. The token created is only visible when it is retrieved and can only be copied then too. It is also associated with the current user.
The token can only be retrieved if the current user has the following rights: permanently delete user, import user, and create and edit user.

This field is mandatory.

Client

Select the client here on which the users are to be created and select an appropriate user profile.

Deletion option

Select here what should happen to a user that is deleted via SCIM 2.0. The default selection is that the user should be marked as deleted. However, the user may also be permanently deleted or anonymized. Select between the following options:

  • Mark as deleted,
  • Permanently delete or
  • Anonymize.

In the lower selection and entry options, you can set what should happen to the user x days after he/she has been marked as deleted. Select between the following options:

  • Permanently delet and how many days after deletion,
  • Anonymsize and how many days after deletion or
  • Do nothing.

Identity Provider ID

Here you define the name of the identity provider to which the users created should belong. This field is mandatory.

Attribute assignment

Specify here which fields in the external system should be mapped to which Avendoo fields. The SCIM field idpName must be used at least.

The following Avendoo fields must be filled at least: login, e-mail, identity provider ID, identity provider user ID.

If you’ve got any question about the configuration please contact our support team.

Configuration for OpenID Connect

General settings

Client settings

This is where you define the settings associated with the client and its connection to the authentication system. The client ID is the ID of the client in the authentication system and the client secret is the secret of the client in the authentication system.

Load configuration

This is where you can load the configuration of a well-known URL. To do so, enter the required URL and click the button Load configuration.
After the configuration has loaded, you must check that there are not several values in the fields for the authorization of the token endpoint and of the encryption algorithm of the ID token. There may be several values there since the provider allows various methods, of which you must decide on one.

Issuer

The identifier for the server to which the client sends authorization requests.

If you got any question about the configuration, please contact our support team.

Endpoints

Authorization

Enter the URL of the authorization endpoint.

User information

Enter the URL of the user info endpoint. If nothing is defined here, the user info is taken from the ID token.

Token

This is where the URL and authentication for the token endpoint are specified. The authentication method is only required if the code flow is used. Choose between client_secret_post and client_secret_basic.

Logout redirect

This is where you specify the URL to which the user is redirected after logging out.

Error redirect

This is where the URL is specified to which the user is redirected if registration fails. If no URL is defined, the error page is displayed.

If you got any question about the configuration, please contact our support team.

JSON Web Key (JWK)

JWK set URI

Enter the URI of the JWK set. It is used to validate the ID token.

Key ID

Enter the key ID of the JWK key. It is used in order to have an alternative to the client ID during ID token validation if necessary.

Encryption

Enter the encryption algorithm to be used to decrypt the ID token (e.g. “RS256”).

If you got any question about the configuration, please contact our support team.

Registration code

Permitted registration codes

This is where you select the registration codes with which users can register by clicking the button Add and confirming the selection.

Default registration code

This is where you select a registration code that is used if no code is provided by clicking the button Select and confirming the selection.

If you got any question about the configuration, please contact our support team.

Update user

Specify here whether users without a saved registration code should or should not be updated when they log in by setting a check mark.

Whitelist

Whitelist active

This is where you specify whether or not the whitelist with authorization groups is active. If it is active and no groups are defined, no users can be created. To activate the whitelist with authorization groups, set the check mark.

Permission groups

This is where you select the authorization groups to be whitelisted by clicking the button Add and confirming your selection. If none are selected and the whitelist is active, no users can be created.

If you got any question about the configuration, please contact our support team.

More settings

Subject identifier

This is where you choose how the subject identifier behaves. Possible values are “public” and “pairwise”.

Flow

This is where you choose the flow to be used. To date, “id_token”, “id_token token” and “code” are supported.

Scope

This is where you choose the scope to be used. If more than “openid” are used, you can choose “Custom” and enter the required value in the text field.

Access token

This is where you can activate the option that the access token should not be validated by setting the check mark. This may be necessary with SAP OpenID, but should generally not be activated.

Error page

This is where you select an error page to be displayed if, for example, the registration code is exhausted or similar. Therefore click the button Select and confirm your selection.

If you got any question about the configuration, please contact our support team.

Attribute assignment

User identifier

This is where you determine how the user should be found in the system. Users can be found using the login or the identity provider user ID.

Check IDP provider ID

Specify here whether the identity provider ID should always be checked when the user logs in by setting a check mark. If so, only users for whom the identity provider ID matches can register with this configuration.

If an old data set with OpenID Connect configuration from the system setting „openidconnect.configuration“ will be migrated, this check mark is set and you can deactivate it.

Delimiter

This is where you specify the separators with which the paths entered should be evaluated. There is a character that separates the individual elements of a path and a character that separates the different paths from each other if fallback paths are used.

Attribute assignment

This is where you specify which fields in the external system should be mapped to which Avendoo fields.
The following Avendoo fields must be filled at least: login, e-mail, first name and last name.
The path in the external field must be structured according to the JSONPath pattern. You can find more information about this pattern on this page.

If you got any question about the configuration, please contact our support team.