Skip to main content
Version: 5.6

Setting up SSO with an external OpenID authentication server

This document describes the operation and configuration of BlueMind with an external OpenID authentication server.

Prerequisites

  • Have an OpenID server up and running
  • Have authorized the BlueMind authentication client with the OpenID server.

After configuration, note the following information, which will be used to configure BlueMind:

  • third-party OpenID server URL
  • OpenId client identifier (sometimes called Application ID)
  • **OpenId customer secret

How OpenID authentication works

For initial authentication :

  1. The user tries to connect to BlueMind, which he opens in his browser.
  2. As it has not yet been authenticated, the BlueMind server redirects it to the OpenID server for authentication.
  3. Once authenticated, an openID cookie is placed in the user's browser, and the user is redirected to BlueMind with a ticket to validate.
  4. The BlueMind server :
    1. sees this ticket,
    2. asks the openID server if it is valid,
    3. If that is the case, authorize the connection and set a BlueMind cookie in the browser.

On next authentication:

  1. The customer requests access to the BlueMind server again.
  2. As it has the BlueMind cookie, it is automatically authenticated as long as this cookie is valid.

OpenID configuration for a single or primary domain

  1. In the administration console, go to System management > Supervised domains > choose domain > Security tab.

    ℹ️ Compte administrateur
    La procédure concerne la configuration du domaine, il est donc possible et préférable d'utiliser un compte administrateur de domaine plutôt que le superutilisateur admin0.

  2. Select the OpenID authentication mode from the drop-down menu and fill in the associated fields:

    • third-party OpenID server URL: indicate the URL of the OpenID server used to retrieve the list of endpoints.
      Par exemple, sur Keycloak, c'est une URL de la forme : https://{openid-server}/realms/{realm}/.well-known/openid-configuration
      Remplacer:
      • {openid-server}by OpenID server hostname
      • {realm} by the realm configured on the server
    • OpenId customer identifier
    • **OpenId customer secret
  3. Click on "Save" to save your changes.

Users will then be automatically redirected to the OpenID server when accessing the authentication page.

OpenID configuration in a shared Environment

To use a single authentication server with multiple domains, you configure the server for a primary domain, to which the other domains are linked.

  1. Set up your first domain using the method described above; it will then be considered the primary domain.

  2. Enter an external URL for the primary domain (see External URL Configuration).

    Configuring the external URL is required for authentication to work properly with all domains.
  3. Note the username(s) of the subdomain(s) (Domain UID) from the list of domains or their management page.

  4. Go to the management page for the primary domain > Security tab. Sous le formulaire de configuration OpenID apparaît désormais un lien "Ajouter" :

    → cliquer pour ajouter autant de domaines secondaires que désiré.

  5. Dans les champs ajoutés, renseigner les UID des domaines à lier :

  6. Click "Save" to confirm.

  7. Dans la fiche de gestion des domaines secondaires, onglet Sécurité, le formulaire est désormais remplacé par une information contenant l'UID du domaine primaire :

Find out more

Related BlueMind documentation pages