V11 SP8
Loading...

Adding Application Information for OpenID Connect

Applies To: Web Console and Admin Console

Before users can log on by using OpenID Connect (OIDC), you must obtain a client ID and an client secret from the provider and associate them with specific Web Consoles. For information about OpenID Connect, go to the OpenID website.

Before You Begin

Go to your OpenID Connect provider portal and do the following:
  • To obtain a client ID and a client secret, create a web authorization client:
    • For the redirect URLs, enter the URLs of your Web Consoles appended with /openIdConnectCallback.do. Include the port number in the URL, for example: http://client1.mydomain.com:80/webconsole/openIdConnectCallback.do.
    • Make note of the client ID and client secret.
  • Obtain the discovery endpoint URL for the provider, for example: https://accounts.google.com/.well-known/openid-configuration.

About This Task

The user IDs stored in the CommServe database must match the user IDs stored by the OpenID provider.

The Web Console requests the email claim from the OpenID server via the scope parameter (scope=openId+email). Configure the OpenID claim in one of the following ways:

  • Use the Commvault user account email address as the email value in the OpenID claim.
  • Use the Commvault user account email address or user name as the sub value in the OpenID claim.

Procedure

  1. From the CommCell Console ribbon, on the Home tab, click Control Panel.
  2. Under CommCell, click Identity Management.

    The Identity Management dialog box appears.

  3. On the Identity Management tab, click Add, and select OpenID Connect.

    The Add OpenID Connect Application Info dialog box appears.

  4. Specify the settings for the application:
    • On the General tab, do the following:
      1. Under Application Info, enter the values you obtained from your provider for Client ID, Client Secret, and Discovery Endpoint URL.
      2. Under Associated Web Consoles, enter the URLs for the Web Consoles you added as redirect URLs on your provider portal, for example: http://client1.mydomain.com:80/webconsole.
    • On the Association tab, select the users and user groups who can be authenticated by the provider.
  5. Click OK.
  6. Restart the Tomcat service on the Web Console computer.

    Note: If any of the provider information under Application Info changes, you must restart the Tomcat server.

Result

When you access a Web Console and you are not logged on, enter your user name and tab off of the field to be redirected to the OpenID Connect provider. The first time you log on using a provider, you are prompted to grant permission.

After you log on, you are returned to the Web Console.