How-To setup a federation with an external Identity Provider (IdP)

Owned by Silvan Grüter
Last updated: 07. Nov 2023 by Gregory Bobst
2 min read

Introduction

The CoreOne Suite offers you the possibility to establish a federation with with predefined external Identity Providers such as SwissID oder Google, or with any generic provider that supports OpenID Connect. In this how-to we will focus on the later use case. If you are interested in setting up a federation with SwissID, please see the How-To setup SwissID as Identity Provider (IdP) page.

Step 1 - Data needed

Your external Identity Provider has to be configured in such a way, that federation to the CoreOne Suite is allowed. Usually this is done by adding an appropriate client to the configuration. If you have done that, you will get the following information:

  • client identifier and a client secret

  • Authentication URL

  • You might also need to provide a redirect url to your external identity provider. This is usually https://{authurl}/{callbackpathfromconfig}

Step 2 - Add/Configure External Identity provider

In the CoreOne Admin UI navigate to SSO → External Identity providers and select Add.

On the creation mask you have to provide the following data:

Property

Value

Description

Property

Value

Description

Name

CoreOne Demo

The name of your external IdP

Description

The IdP of the CoreOne Demo enviroment

A description for your external IdP

Description Name Key

Customer.ExternalIdP.CoreOneDemo.Description

A translation key for the description

Display Name

CoreOne Demo Login

A display name that is presented to users

Display Name Name Key

Customer.ExternalIdP.CoreOneDemo.DisplayName

A translation key for the display name that is presented to users

Icon

-

An icon from the icon table if one has been defiend

State

Active

The state of the external IdP

Option type

iTsense.CoreLogin2.Server.ExternalAuthentication.Options.GenericCustomOAuthOptions, iTsense.CoreLogin2.Server, Version=4.1911.7.1, Culture=neutral, PublicKeyToken=null

Depending on the type either select GenericOpenIdConnectOptions or GenericCustomOAuthOptions or GenericCustomWsFederationOptions

Configuration

{ "clientId": "cos_local", "clientSecret": "Secret", "callbackPath": "/core-login-local", "authorizationEndpoint": "https://demo-auth.coreone.ch/connect/authorize", "tokenEndpoint": "https://demo-auth.coreone.ch/connect/token", "userInformationEndpoint": "https://demo-auth.coreone.ch/connect/userinfo" }

 

Authentication scheme

CoreLoginLocal

A unique scheme name

Trusted Address

https://demo-auth.itsense.ch

The URL where the user will be redirected to

Link user autmoaticaly

true

Whether or not user shall be linked automatically. If disabled, the user will be presented with a confirmation screen.

Step 3 - Define the attribute mapping

As a next Step you can configure the Attribute-Mappings. The Attribute-Mappings defines which external claims should be automatically matched to which CoreOne Suite attribute.

Example for Attribute Mappings:

Attribute

Identifies the user

Original Claim Type Name

Attribute

Identifies the user

Original Claim Type Name

Surename

false

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Givenname

false

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Email

true

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Step 4 - Add the external provider to your Level of Authentication

Under SSO → Level of Authentications select the appropriate record and add a new Level of Authentication Entry by clicking Add in the Level of Authentication Entries list.

Enter a name and navigate to the detail page after you hit save. On the detail page add your external identity provider to the list of logon configurations and your are done.

 

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.