This document describes how to integrate a custom Identity Provider using OpenID Connect with Naviga ID.
The party that wished to integrate with Naviga Login must have an identity provider compatible with the OpenID Connect 1.0 Core specification.
Specifically, the identity provider must support the OpenID Connect Authorization Code Flow.
Information we need to integrate your OIDC application:
URL to your OpenID provider metadata file (.well-known/openid-configuration)
Client ID
Client secret
The following URLs must be added to the integrating party’s Whitelisted Callback URLs or equivalent:
The following URLs must be added to the integrating party’s Allowed Web Origins or equivalent:
Integration of an Identity Provider in Naviga ID using OpenID Connect requires some setup in the Identity Provider. Here you can find instructions for the most common providers and how to configure them to support Naviga ID.
This document describes how to integrate Google G Suite using OpenID Connect with Naviga ID.
The following steps in this document requires that you have a working G Suite directory https://gsuite.google.com/.
1. Login to your Google account and go to the API Manager
2. Click on Select a project dropdown and choose that project you want to use or create a new one.
3. Click on Create credentials and select the OAuth client ID
4. Google show a banner saying "To create an OAuth client ID, you must first set a product name on the consent screen". Click on Configure consent screen
5. Type the Product Name that will be shown to the users when they log in through GSuite, add infomaker.io
as an Authorised domain and click Save.
6. Now we will fill in information about the app. Start with selecting Web application and provide a name for your app.
8. Under Restrictions, fill in following information:
Authorized JavaScript origins: https://imas.imid.infomaker.io, https://imas.stage.imid.infomaker.io
Authorized redirect URI: https://imas.stage.imid.infomaker.io/v1/org/<OrganizationName>/login-callback, https://imas.imid.infomaker.io/v1/org/<OrganizationName>/login-callback
<OrganizationName> should be replaced with a name given to you by Naviga.
9. Click on Create and your Client ID and Client Secret will now be displayed.
1. From the Admin console Home page, go to Security > API reference.
2. Check the Enable API access box.
3. Click save.
Search for Admin SDK
Click on Admin SDK and click on Enable
If you want Naviga Login to be able to fetch groups for the logged in user, a service account is required.
Create a service account and delegate domain-wide authority to it by following this guide: https://developers.google.com/admin-sdk/directory/v1/guides/delegation.
The following scopes are required to fetch user groups: https://www.googleapis.com/auth/admin.directory.group.readonly
Access to the G Suite Admin SDK requires impersonating a user with access to the Directory API:
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the G Suite Terms of Service.
The information needed by Naviga to complete the integration
URL to your OpenID provider metadata file (.well-known/openid-configuration)
Client ID
Client secret
Private key file of the created service admin in JSON format
Email address or user ID of a user with access to the Directory API
Domain for which to retrieve the user groups
This document describes how to integrate Microsoft Azure using OpenID Connect with Naviga ID.
The following steps in this document requires that you have a working Active Directory within Microsoft Azure. It can be a federation with a local Active Directory or your main Active Directory. Read more about how to Deploying Active Directory Federation Services in Azure https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs
Login to https://portal.azure.com/ and click on Azure Active Directory and the on App registrations (Preview)
Click on New registration
Name: <Your choice of name> Proposal: Naviga Login
Supported account types: Accounts in this organizational directory only (Standardkatalog)
Redirect URI (optional): Web / https://imas.imid.infomaker.io
Go to Authentication within your new created app and then following URLs under Redirect URIs as Web types (organization name will be provide to you by Infomaker/Newscycle):
https://imas.stage.imid.infomaker.io/v1/org/<OrganizationName>/login-callback
https://imas.imid.infomaker.io/v1/org/<OrganizationName>/login-callback
Go to API permissions and enable the following:
openid
offline_access
profile
You can read more about user permissions and OpenId in the Azure documentation.
Go to Certificates & secrets and add a new Client secret
Description: client_secret
Expires: Your choice. But remember that you need to provide Naviga with a new Client Secret before the expiry date runs out otherwise your users will not be able to login with Naviga ID after the expiry date.
Go to Manifest and replace the following items:
This will include user groups in tokens
This will include given name and last name in tokens
You are now done with configuration
By default, Azure AD only provides group IDs in the token and in order for Naviga ID to fetch the names of those groups, additional configuration is required.
Under API permissions add the following delegated permission:
GroupMember.Read.All
This allows Naviga ID to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
The infomartion needed by Naviga to complete the integration
Application (client) ID for you app
Example: 582fca63-a083-41f2-b8d2-0d35e3acf16f
Client secret for your app
The URL for OpenID Connect metadata document Example: https://login.microsoftonline.com/b77b73ba-4156-4e43-940b-aa34693839db/v2.0/.well-known/openid-configuration
Create at least two accounts for Naviga. One for a regular user and one for a admin user (example naviga.user@company.com
and naviga.admin@company.com
). This users should also be assigned to groups within Azure AD
Moving to a new identity provider will, most of the time, involve a new subject ID for the user, resulting in a new subject ID in Naviga ID as well. To retain the users Naviga ID subject ID, the http://infomaker.io/originalSubject
claim can be added to the organization token. This claim should consist of the subject ID the user had in the previous identity provider.
When encountering the http://infomaker.io/originalSubject
claim, Naviga ID will replace the previous subject ID stored internally with the subject ID found in the sub
claim.
Copy the Value and keep it in a safe place. The value will be gone after you leave that page.