Difference between revisions of "Oauth2 authentication"
old>Admin |
|||
(12 intermediate revisions by 3 users not shown) | |||
Line 6: | Line 6: | ||
The following providors are supported. | The following providors are supported. | ||
* | * Google | ||
* LinkedIn | * LinkedIn | ||
* Facebook | * Facebook | ||
* Azure | * Azure | ||
* ADFS | * ADFS | ||
*WordPress (Via [https://wordpress.org/plugins/oauth2-provider plugin]) | |||
From version 6191 it is possible to setup TS to create a new account, if a user signed in with oauth/sso and wasn't found among the existing users. | |||
To do this enable the cofiguration <code>oauthCreateNewUsersAllow</code> and set their initial GroupID in the configuration <code>oauthNewUserGroup</code>. | |||
== Setting up SingleSignon == | == Setting up SingleSignon == | ||
Line 18: | Line 22: | ||
* securitySslLogin | * securitySslLogin | ||
* securitySslPages | * securitySslPages | ||
Next activate service icons on the login page | |||
* oauthLoginDisplay | |||
=== Google Oauth === | === Google Oauth === | ||
Line 42: | Line 49: | ||
# Finally | # Finally | ||
#* oauthGoogleAllow = true | #* oauthGoogleAllow = true | ||
=== LinkedIn Oauth === | |||
[https://medium.com/@ellesmuse/how-to-get-a-linkedin-access-token-a53f9b62f0ce Follow the guide] | |||
Copy credentials to | |||
* oauthLinkedinClient | |||
* oauthLinkedinSecret | |||
Enable | |||
* oauthLinkedinAllow | |||
Callback URL | |||
* https://sample.tsnocode.com/app/SignInLinkedin | |||
=== Facebook Oauth === | |||
[https://developers.facebook.com/docs/facebook-login/access-tokens/ Follow the guide] | |||
Copy credentials to | |||
* oauthFacebookClient | |||
* oauthFacebookSecret | |||
Enable | |||
* oauthFacebookAllow | |||
Callback URL | |||
* https://sample.tsnocode.com/app/SignInFB | |||
=== Azure Oauth === | |||
[https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-oauth2 Follow the guide] | |||
Copy credentials to | |||
* oauthAzureTenant | |||
* oauthAzureClient | |||
*oauthAzureSecret | |||
Enable | |||
* oauthAzureAllow | |||
Callback URL | |||
* https://sample.tsnocode.com/app/SignInAzure | |||
=== ADFS Oauth === | |||
[https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code Follow the guide] | |||
Copy credentials to | |||
* oauthAdfsServer | |||
* oauthAdfsClient | |||
Enable | |||
* oauthAdfsAllow | |||
Callback URL | |||
* https://sample.tsnocode.com/app/SignInADFS | |||
=== WordPress === | |||
# Install and activate the [https://wordpress.org/plugins/oauth2-provider plugin] | |||
# Enable the Oauth-server (Oath Server -> Settings -> Enable Oauth Server) | |||
# Create a new client (Oauth Server -> Clients -> Add New Client) | |||
## Give it a descriptive name | |||
## Add the Redirect URI (Should be something like: <code>https://[ts-hostname]/[ts-instance]/SignInWP</code>) | |||
## Assign it admin rights | |||
## Save it | |||
# Copy credentials to Configurations | |||
#* oauthWPClient | |||
#* oauthWPSecret | |||
# Input wordpress domain/link to Configuration (no trailing /) | |||
#* oauthWPHost | |||
# Enable Configuration | |||
#* oauthWPAllow |
Latest revision as of 17:52, 17 May 2024
Understanding Oauth 2
Oauth authentication will put icons on the login page for fast and easy SSO wth multiple vendors.
The user will be authenticated if the email matches between the provider and the Tempus Serva user.
The following providors are supported.
- Azure
- ADFS
- WordPress (Via plugin)
From version 6191 it is possible to setup TS to create a new account, if a user signed in with oauth/sso and wasn't found among the existing users.
To do this enable the cofiguration oauthCreateNewUsersAllow
and set their initial GroupID in the configuration oauthNewUserGroup
.
Setting up SingleSignon
Before going into the detailed configuration please make sure https/SSL is enabled.
Set the following configurations to true
- securitySslLogin
- securitySslPages
Next activate service icons on the login page
- oauthLoginDisplay
Google Oauth
Using an existing Google account , go to the [credentials section].
Navigate to "Credentials" in the left menu.
First setup Oauth messages in the Oauth conscent section
- Logo, privacy policies etc. are not required but make things look better
- Note that domain authentication is not required
Next setup setup credentials
- Navigate back to credentials
- Click Create credentials
- Fill out the information
- Authorized JavaScript origins: https://alpha.tempusserva.dk
- Authorized redirect URIs: https://alpha.tempusserva.dk/TempusServa/SignInGoogle
- Credentials are generated
- Copy credentials to your Tempus Serva configuration
- oauthGoogleClient = [Client ID]
- oauthGoogleSecret = [Client secret]
- Finally
- oauthGoogleAllow = true
LinkedIn Oauth
Copy credentials to
- oauthLinkedinClient
- oauthLinkedinSecret
Enable
- oauthLinkedinAllow
Callback URL
Facebook Oauth
Copy credentials to
- oauthFacebookClient
- oauthFacebookSecret
Enable
- oauthFacebookAllow
Callback URL
Azure Oauth
Copy credentials to
- oauthAzureTenant
- oauthAzureClient
- oauthAzureSecret
Enable
- oauthAzureAllow
Callback URL
ADFS Oauth
Copy credentials to
- oauthAdfsServer
- oauthAdfsClient
Enable
- oauthAdfsAllow
Callback URL
WordPress
- Install and activate the plugin
- Enable the Oauth-server (Oath Server -> Settings -> Enable Oauth Server)
- Create a new client (Oauth Server -> Clients -> Add New Client)
- Give it a descriptive name
- Add the Redirect URI (Should be something like:
https://[ts-hostname]/[ts-instance]/SignInWP
) - Assign it admin rights
- Save it
- Copy credentials to Configurations
- oauthWPClient
- oauthWPSecret
- Input wordpress domain/link to Configuration (no trailing /)
- oauthWPHost
- Enable Configuration
- oauthWPAllow