> CommCell Console > End User Access > Web Console > Administrators > Authentication > OpenID Connect

Adding Application Information for OpenID Connect

Applies to: Web Console, Command Center

To use OpenID Connect (OIDC) for authentication, your service provider must support RS256 algorithm for signing ID Tokens. For information about OpenID Connect, go to the OpenID website.

Before You Begin

Go to your OpenID Connect provider portal and do the following:

  • To obtain a client ID and a client secret, create a web authorization client and associate with specific Web Consoles:

    • For the redirect URLs, enter the URLs of your Web Consoles appended with /openIdConnectCallback.do. Include the port number in the URL, for example: http://client1.mydomain.com:80/webconsole/openIdConnectCallback.do.

    • Make a note of the client ID and client secret.

      Note

      The Command Center and Web Console use the authorization code flow. Any other information that is received from the OpenID provider is ignored.

  • Obtain the discovery endpoint URL for the provider, for example: https://oidc-provider.com/.well-known/openid-configuration.

  • Verify that the ID Tokens are signed using RS256 algorithm. To do this, navigate to the OpenID Connect discovery endpoint URL and see that 'RS256' is one of the values listed under [id_token_signing_alg_values_supported].

About This Task

The user IDs stored in the CommServe database must match the user IDs stored by the OpenID provider. If your Commvault user IDs are created under an organization or a company (Command Center), the format for the user name is company\user. The same format must be used by the OpenID provider.

The Web Console requests the email claim from the OpenID server via the scope parameter (scope=openId+email). Configure the OpenID claim in one of the following ways:

  • Use the Commvault user account email address as the email value in the OpenID claim.

  • Use the Commvault user account email address or user name as the sub value in the OpenID claim.

Procedure

  1. From the CommCell Console ribbon, on the Home tab, click Control Panel.

  2. Under CommCell, click Identity Management.

    The Identity Management dialog box appears.

  3. On the Identity Management tab, click Add, and select OpenID Connect.

    The Add OpenID Connect Application Info dialog box appears.

  4. Specify the settings for the application:

    • On the General tab, do the following:

      1. Under Application Info, enter the values you obtained from your provider for Client ID, Client Secret, and Discovery Endpoint URL.

      2. Under Associated Web Consoles, enter the URLs for the Web Consoles you added as redirect URLs on your provider portal, for example: http://client1.mydomain.com:80/webconsole.

    • On the Association tab, select the users and user groups who can be authenticated by the provider.

  5. Click OK.

  6. Restart the Tomcat service on the Web Console computer.

    Note

    : If any of the provider information under Application Info changes, you must restart the Tomcat server.

Result

When you access a Web Console and you are not logged on, enter your user name and tab off of the field to be redirected to the OpenID Connect provider. The first time you log on using a provider, you are prompted to grant permission.

After you log on, you are returned to the Web Console.

×

Loading...