Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: draw.io diagram "app3.drawio" edited
NoteAs of

Noah ES

does support using OpenID Connect. However, once the single sign-on entry has been made it cannot later be edited. This is a know issue and will be addressed in the near future.

In the meantime, If values need to edited it will then be required to create a new SSO entry, then it will be necessary to edit each users account to make use of the new SSO entry.

Noah ES can integrate with third-party authentication systems – for example, Microsoft Azure Active Directory, OpenID Connect, however this document is specifically for OpenID Connect integration.

OpenID Connect is an authentication and authorization protocol that enables SSO for web and mobile applications.

Setting Up Noah ES within the Identity Provider (Okta)

In Okta, create a new “App Integration” by selecting the OIDC sign-in method and Application Type = Web Application.

  • specify a "Sign-in"- and "Sign-out"- redirect URI at the third-party OpenID Connect providers configuration page.
    The URI depend upon the NoahES data center where the tenant (account) is hosted. See Points 1 and 2 in the diagram to the right

For Noah ES account in the US data center, use the following URIs (include both):

For Noah ES account in the EU data center, use the following URIs (include both):

Sign-in redirect URI:

Code Block
https://idp.us.noah-es.com/signin-idsrv
Code Block
https://idp-us.himsa-sso.com/signin-idsrv

Sign-in redirect URI:

Code Block
https://idp.eu.noah-es.com/signin-idsrv
Code Block
https://idp-eu.himsa-sso.com/signin-idsrv

Sign-out redirect URI:

Code Block
https://idp.us.noah-es.com/signout-idsrv
Code Block
https://idp-us.himsa-sso.com/signout-idsrv

Sign-out redirect URI:

Code Block
https://idp.eu.noah-es.com/signout-idsrv
Code Block
https://idp-eu.himsa-sso.com/signout-idsrv



Diagram 1

Drawio
mVer2
simple0
zoom1
inComment0
pageId3596877855
custContentId3639214351
diagramDisplayNamefirest.drawio
lbox1
contentVer34
revision34
baseUrlhttps://himsanoah.atlassian.net/wiki
diagramNamefirest.drawio
pCenter0
width1049.42
links
tbstyle
height9061000

Diagram 2

Drawio
mVer2
zoom1
simple0
zoominComment10
inCommentcustContentId03639214255
pageId3596877855
custContentIdlbox36392142551
diagramDisplayNameappsetup.drawiolbox1
contentVer3
revision3
baseUrlhttps://himsanoah.atlassian.net/wiki
diagramNameappsetup.drawio
pCenter0
width748
links
tbstyle
height749.31

Diagrams 3-4

Expand
titleExpand - Other App Setup Screenshots
Drawio
mVer2
zoom1
simple0
zoominComment10
inCommentcustContentId03639378023
pageId3596877855
custContentIdlbox36393780231
diagramDisplayNameapp2.drawio
lbox1
contentVer1
revision1
baseUrlhttps://himsanoah.atlassian.net/wiki
diagramNameapp2.drawio
pCenter0
width831
links
tbstyle
height852.69

Drawio
mVer2
simple0
zoom1
inComment0
pageId3596877855
custContentId3638853864
diagramDisplayNameapp3.drawio
lbox1
contentVer12
revision12
baseUrlhttps://himsanoah.atlassian.net/wiki
diagramNameapp3.drawio
pCenter0
width806707
links
tbstyle
height710.73822

Setting Up Single Sign-on within the Noah ES Portal

When adding a new Single Sign-on Configuration in the NoahES App Portal (Settings->Single Sign-on) by clicking the (+) plus symbol and choosing OpenID Connect - a number of fields for configuring Single Sign-On (SSO) with OpenID Connect must be filled in.

The specific values you enter for these fields depend on the OpenID Connect provider you are using, as they provide the necessary information for configuration. Be sure to consult the documentation provided by your OpenID Connect provider for precise details on what to enter in these fields.

Here follows a description of the fields and what kind of information that can be entered: (See Diagram 5 for examples)

  1. Name:
    Description: A user-friendly name for the OpenID Connect configuration. It's just a label for your reference (currently limited to 7 characters).

  2. Client ID Override:
    Description: The client ID is a unique identifier for your application when it interacts with the OpenID Connect provider (e.g., an identity provider or IdP). Some systems allow you to override the default client ID for specific purposes. When integrating with a third-party service or identity provider, they may provide you with a specific Client ID to use for the integration. In such cases, you would override the default Client ID with the one provided by the third party.

    When using OKTA as Identity Provider - then this value is the ClientID of the App registration that was created in OKTA to use for this connection.

See point C in Diagram 2

  1. Issuer:
    Description: The issuer is the URL of the OpenID Connect provider (Identity Provider). It's typically a well-defined URL where the provider publishes its metadata. It's also used to verify the authenticity of the OpenID Connect provider. This is the URL or GUID that identifies the Identity provider. Note: make sure to not include a '/' at the end of the URL address. For example ……okat.com/ may cause the integration to fail.
    Example: See Point 3 in Diagram 5

  2. Metadata URL:
    Description: This is a URL provided by the OpenID Connect provider that contains metadata about the provider's configuration. It includes information such as endpoints, supported scopes, and more. Instead of manually configuring every detail, you can often enter this URL to automatically populate the settings.
    This URL ends with "/.well-known/openid-configuration", which represents the identity provider's discovery document.
    Example:see Point 4 in Diagram 5

    Code Block
    /.well-known/openid-configuration
  3. Logon URL:
    Description: This is the URL where the user will be redirected to log in when they access your application. It's typically provided by the OpenID Connect provider and is used in the authentication process. This URL ends with “/oauth2/v1/authorize
    Example: See Point 5 in Diagram 5

    Code Block
    /oauth2/v1/authorize
  4. Logout URL:
    Description: This is the URL where the user will be redirected after logging out from your application. It's also provided by the OpenID Connect provider and is used to terminate the user's session. This URL ends with “/oauth2/v1/logout”
    Example:

https://trial-7866800.okta.com/oauth2/v1/logout
  1. See Point 6 in Diagram 5

    Code Block
    /oauth2/v1/logout

Diagram 5

Drawio
mVer2
zoom1
simple0
zoom
inComment
1
0
inComment
custContentId
0
3639377995
pageId3596877855
custContentId
lbox
3639377995
1
diagramDisplayNameoktaexample.drawio
lbox1
contentVer2
revision2
baseUrlhttps://himsanoah.atlassian.net/wiki
diagramNameoktaexample.drawio
pCenter0
width987
links
tbstyle
height678.6199999999999