|
Configuring an OpenID Connect (OIDC) application |
Scroll |
How do I configure an OpenID Connect (OIDC) application to be used with Therefore™?
1. Before OneLogin can be set up inside Therefore™ a new application needs to be created in the OneLogin Administration portal.
2. Add a new Application.
3. Search for the “OpenID Connect” application in OneLogin and select it.
4. To make it clear what this OIDC application is used for the application can be renamed to “Therefore” now:
5.Optionally, images and description can be added. Click ‘Save’ when this is done. Once the application has been saved, the ‘Configuration’ section allows you to specify the redirect URLs needed by Therefore. Please be aware that these are case sensitive.
|
•http://127.0.0.1:49152/redirect •https://mytenant.thereforeonline.com/Client/WEB/Login/SSOLogin.aspx •https://mytenant.thereforeonline.com/signin |
For On-Premise (single tenant), the URLs need to follow this pattern:
|
•http://127.0.0.1:64957/redirect •https://mydomain/TWA/Client/WEB/Login/SSOLogin.aspx •https://mydomain/TWA/signin |
The first URL is needed for the installed Therefore™ Client and is just a placeholder as the redirect is not actually executed. The second URL is needed for the Therefore™ Classic Web Client. The third URL is for the Therefore™ Dynamic Web View. The URLs needs to be adjusted to match your tenant and TFO-Domain, or on-premise URL.
6. In the ‘Parameters’ section there will already be a ‘Groups’ field but it has to be adjusted to return roles instead of groups.
7. The default value has to be changed to “User Roles” with “Semicolon Delimited input (Multi-value output)”. If this is set up correctly, Therefore™ will get the user roles directly from the authentication without the need for additional API requests.
8. In the SSO section, the ‘Application Type’ and ‘Authentication Method’ can both be left on their default settings “Web” and “Basic”. The Client ID will be needed in the next step when configuring the external directory provider in Therefore™.
9. To grant users access to this new application go to the ‘Access’ section and apply a role. All users with this role will be able to use this application. Alternatively, access can also be granted for specific users but not through the ‘Users’ section of the application. Instead, it needs to be granted through the Users menu entry by editing a user’s applications.
10. On the ‘Applications’ menu entry, your new application will be displayed and the amount of users that are allowed to use it will be shown.
