OpenID Connect is an authentication protocol based on the OAuth 2.0 family of specifications. AMS supports OpenID Connect to authenticate AMS users without having to own and manage password files.
With Single Sign-On enabled through the AMS.conf file, users can sign into the AMS web client through a supported OpenID Connect provider. Single Sign-On creates an identity binding between the AMS user account and the OpenID Connect provider account. The binding between AMS user and the provider ID is mapped to a table in AMS.
AMS supports the following OpenID Connect providers:
Auth0
Ping Federate
For single sign-on to AMS to succeed, AMS requires a client ID and a client secret be obtained from the OpenID Connect provider and be configured in the AMS configuration file.
The default password is null for auto-created SSO users, which means the user cannot sign in locally until a non-null password is set through the management page.
When a user first tries to log into the AMS through a provider (for example, Google), the default AMS behavior is to automatically create an AMS account with the user's email for an account name. Behind the scenes, the AMS maintains a mapping of the identity Google provided to the AMS account record.
Consider the following scenarios, for two configured users.
For the default behavior, if user A and B both sign into AMS through Google, there will be two AMS accounts and two mapping records:
> >
> >
For the non-default behavior (where the bindAction property in the AMS.conf file is set to SIGN_IN or SIGN_IN_OR_SIGN_UP), it is possible to have two Google identities map to the same AMS account:
> >
> >
In this scenario, a sign-in by user A would bounce user B, and vice-versa, since the two Google identities point to the same AMS account.
The OpenIDConnectAuthenticationRealm in the AMS.conf file configures the AMS side of the single sign-on binding, including:
Name, issuer, ID, and secret of one or more identity providers
What to do with users who authenticate against an OpenID Connect provider but do not have an AMS profile: auto-create the user or send the user to a sign-up and sign-in form.
OpenID Connect claim (email, name, family_name) used in identifying users.
Initial state of auto-created users: enabled or disabled.
Roles to assign to auto-created users.
Email domains to allow for auto-created users.
General-purpose filter for performing arbitrary checks before auto-creating users.
The following is a section of the AMS.conf configuration file that defines how to use OpenID Connect for web client Single Sign-on. For more information regarding each supported property, see HOCON Elements Explained.
OpenIDConnectAuthenticationRealm {
// Properties that control how identities are bound to AMS profiles after
// authenticating with an identity provider if no matching AMS profile is found.
IdentityToAMSProfileBinding = {
// Configure the action(s) to take when no binding exists between an
// identity and an AMS profile. Valid values are:
// FAIL - Fails the login request.
// AUTO_CREATE - Creates a new AMS profile using the configured OpenID
// Connect claim as the username.
// SIGN_IN - Presents a login form to the user, who enters the credentials
// of an existing AMS profile, creating the binding between the identity
// and profile.
// SIGN_IN_OR_SIGN_UP - Presents a login form to the user, who enters the
// credentials of an existing AMS profile or requests the creation of a new profile.
bindAction = "AUTO_CREATE"
// The OpenID Connect claim used for the username of auto-created AMS profiles.
// Valid values include: email, name, family_name
autoCreateUsernameClaim = "email"
// Determines whether auto-created users, or users created through the sign-up form,
// are initially enabled
autoCreateUserEnabled = "false"
// A comma-delimited list of roles to assign to auto-created users
autoCreateDefaultRoles = ""
// Zero or more filters to apply to auto-create AMS profile requests. A filter
// contains the name of a fully-qualified Java path that conforms to the
// com.tibcp.ep.ams.auth. AMSAutoCreateFilter interface along with zero or more
// parameters associated with each filter. In the example below, a is used to
// restrict the creation of AMS profiles to users within a specific email domain.
// For an auto-create request to succeed, it must pass all the configured filters.
autoCreateFilters = [
{
javaClass = "com.tibco.ep.ams.auth.AMSAutoCreateEmailFilter"
params = [
// Comma-delimited list of acceptable email domains
{
name = "domains"
value = "example.com"
}
]
}
]
}
// Configuration for authentication against one or more OpenID Connect identity
// providers
IdentityProviders = {
providers = [
{
name = "Example1"
issuer = "https://accounts.example.com"
clientId = "SomeExample"
clientSecret = "abc123"
}
]
}
}