OpenID Connect
OpenID Connect (OIDC) is an open standard security protocol that delegates authentication to a third-party identity provider.
To use OpenID Connect, configure the OpenID Connect provider, and then configure OpenID Connect in MSS.
Support
OIDC is supported in
- Reflection Desktop (configured for centralized management)
- Host Access for the Cloud (HACloud)
- MSS Administrative Console
- the Assigned Sessions List, which can launch Reflection Desktop, HACloud, and Reflection for the Web
Configuring the OpenID Connect Provider
-
Create a new application.
-
Enter
https://<Cluster DNS value>/osp/a/hc/auth/app/contractcontinue
as the Callback URL. -
Select the
openid
,profile,
andemail
scopes. -
Save the application.
Configuring OpenID Connect in MSS
-
First, enable OAuth.
-
Log into the MSS Administrative Console.
-
Click Configure Settings - Trusted Certificates.
-
Click Management and Security Server as the Certificate Store.
-
Import the OIDC Provider certificate.
-
Then, click Configure Settings - Authentication & Authorization.
-
Click OpenID Connect as the Authentication Method.
-
If you prefer to use LDAP for the Authorization method instead of allowing all authenticated uses to access all published sessions, see Using LDAP as the Authorization method.
-
Enter the Provider URL.
-
Enter the Client ID.
-
Enter the Client Secret.
-
The default Source attribute is
email
, but you can set it topreferred_username
to identify the user by username instead of email address.
Using LDAP as the Authorization method
-
Under Authorization method, click Use LDAP to restrict access to sessions.
-
Add a LDAP server configuration. For descriptions of each setting, see LDAP Configuration.
- Server Type:
- Server name:
- Server port:
- Username:
- Password:
- Directory search base:
-
Enter a Target attribute. This attribute value must match the Source attribute entry (step 12 above).
For instance, ifemail
is used as source, then an LDAP attribute with email must be used here (Example:email
). Or ifpreferred_username
is used as the source, then an LDAP attribute with the username must be used here (Example:uid
). -
Click Apply, and wait for the auth service to restart.
-
Continue with configuring OpenID Connect, step 9 above.