Integrating Identity Providers (IdP) in SGS

1. Locate the loginAuthSettings.json file in the SharedConfigurations subdirectory within the SharedDataPath folder defined in your deployment’s settings file. This file includes a property named identityProviders, which is an array composed of objects. Each object represents an identity provider. More about: SGS Deployment Settings >
   • Windows: appsettings.json
   • Docker: docker-compose.yaml
   • Kubernetes: deployment.yaml
2. For each identity provider you want to add, uncomment the lines corresponding to its properties within the identityProviders comma-delimited array. The forceIdentityProvider property can be used to enforce a specific identity provider by setting its value to the name of one of the providers listed in the IdentityProviders array. Leave it as an empty string ("") if you don't want to enforce a specific provider.

{
 "identityProviders": [
  {}
 ],
 "forceIdentityProvider": ""
}

Properties:

3.  After creating/modifying the configuration file, restart SGS for updates to take effect.

 

Detailed examples for IdPs like Cognito, Microsoft, Google, and Facebook are provided below. For a detailed example JSON illustrating the setup for all these identity providers, see the attachment to this article.

• Cognito
• Microsoft
• Google
• Facebook
• Okta
• IdentityServer4

Cognito

Properties/Attributes:

• "name": String with name of IdP
• "loginIcon": URL to your IdP logo
• "loginUrl": Base URL: Obtained from your IdP application + /login? (See screenshot below)
  • redirect_uri: URL to which the IdP server should redirect users after authentication. 
  • response_type: Set to =code
  • client_id: Obtained from your IdP application (See screenshot below) 
     
• "authTokenURL": Obtained from your IdP application + /oauth2/token (See screenshot below)
• "authTokenURLRequestBody": 
  • client_id: Obtained  from your IdP application (See screenshot below)
  • client_secret: Obtained from your IdP application (See screenshot below)
  • grant_type: Set to =authorization_code
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
• "getUserInfoURL": Obtained from your IdP application + /oauth2/userInfo (See screenshot below)

{
"name": "Cognito",
"loginIcon": "https://mysite/logos/cognito256x219.png",
"loginUrl": "https://test.auth.us-east-1.amazoncognito.com/login?redirect_uri=https://mysite.com/oauth/redirect&response_type=code&client_id=6d7qubrlgjdhersksm8ol1pc2c",
"authTokenURL": "https://test.auth.us-east-1.amazoncognito.com/oauth2/token",
"authTokenURLRequestBody": "client_id=6d7qubrlgjdhersksm8ol1pc2c&client_secret=1mtm9ftuukbm8oqp2oc9l73oaai92hulnl4kvib9nisrl91c8u81&grant_type=authorization_code&redirect_uri=https://mysite/oauth/redirect",
"getUserInfoURL": "https://test.auth.us-east-1.amazoncognito.com/oauth2/userInfo"
}

Microsoft

Properties/Attributes:

• "name": String with name of IdP
• "loginIcon": URL to your IdP logo
• "loginUrl": Set to "https://login.live.com/oauth20_authorize.srf?" 
  • client_id: Obtained from your IdP application (See screenshot below) 
     
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
  • scope: Set to =wl.emails
  • response_type: Set to =code
• "authTokenURL": Set to "https://login.live.com/oauth20_token.srf" 
• "authTokenURLRequestBody": 
  • client_id: Obtained from your IdP application (See screenshot below)
  • client_secret: Obtained from your IdP application (See screenshot below)
  • grant_type: Set to =authorization_code
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
• "getUserInfoURL": Set to "https://apis.live.net/v5.0/me"

Personal

{
"name": "Microsoft",
"loginIcon": "https://mysite/logos/Microsoft256x219.png",
"loginUrl": "https://login.live.com/oauth20_authorize.srf?client_id=aa404e51-8760-4441-b0fe-424cb7559fea&redirect_uri=https://mysite/oauth/redirect&scope=wl.emails&response_type=code",
"authTokenURL": "https://login.live.com/oauth20_token.srf",
"authTokenURLRequestBody": "client_id=aa404e51-8760-4441-b0fe-424cb7559fea&client_secret=iQL8Q~vtqAhznD3VvPe9~Y3xCht1pNAEOD8Yda-~&grant_type=authorization_code&redirect_uri=https://mysite/oauth/redirect",
"getUserInfoURL": "https://apis.live.net/v5.0/me"
}

365

{
"name": "Microsoft",
"loginIcon": "https://cloud.skylineglobe.com/images/MS.256x256.png",
"loginUrl": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=5d1a0c8d-03ee-a116-a77D-d4a701f34e21&redirect_uri=https://cloud.skylineglobe.com/oauth/redirect&scope=openid+profile+email&response_type=code",
"authTokenURL": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
"authTokenURLRequestBody": "client_id=5d1a0c8d-03ee-a116-a77D-d4a701f34e21&client_secret=ABCDE~wKEHkPnYMWH36~2gETxiEH7H-VatjJLbxY&grant_type=authorization_code&redirect_uri=https://cloud.skylineglobe.com/oauth/redirect",
"getUserInfoURL": "https://graph.microsoft.com/oidc/userinfo"
}

Google

Properties/Attributes:

• "name": String with name of IdP
• "loginIcon": URL to your IdP logo
• "loginUrl": Set to "https://accounts.google.com/o/oauth2/v2/auth?" 
  • client_id: Obtained from your IdP application (See screenshot below) 
     
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
  • scope: Set to =openid email profile
  • response_type: Set to =code
• "authTokenURL": Set to "https://oauth2.googleapis.com/token" 
• "authTokenURLRequestBody": 
  • client_id: Obtained from your IdP application (See screenshot below)
  • client_secret: Obtained from your IdP application (See screenshot below)
  • grant_type: Set to =authorization_code
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
• "getUserInfoURL": Set to "https://people.googleapis.com/v1/people/me?"
  • personFields: Set to =names,emailAddresses

{
"name": "Google",
"loginIcon": "https://mysite/logos/google.256x256.png",
"loginUrl": "https://accounts.google.com/o/oauth2/v2/auth?client_id=585398732296-6c6h8kl1s4er1vl7bkgqd0bhlp944of7.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fmysite%2Fsg%2Foauth%2Fredirect&scope=openid%20email%20profile&response_type=code",
"authTokenURL": "https://oauth2.googleapis.com/token",
"authTokenURLRequestBody": "client_id=585398732296-6c6h8kl1s4er1vl7bkgqd0bhlp944of7.apps.googleusercontent.com&client_secret=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&grant_type=authorization_code&redirect_uri=https://mysite/oauth/redirect",
"getUserInfoURL": "https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses"
}

Facebook

Properties/Attributes:

• "name": String with name of IdP
• "loginIcon": URL to your IdP logo
• "loginUrl": Set to "https://www.facebook.com/v14.0/dialog/oauth?" 
  • client_id: Obtained from your IdP application (See screenshot below)
  • redirect_uri: URL to which the IdP server should redirect users after authentication. 
     
  • scope: Set to =email
• "authTokenURL": Set to "https://graph.facebook.com/v14.0/oauth/access_token" 
• "authTokenURLRequestBody": 
  • client_id: Obtained from your IdP application (See screenshot below)
  • client_secret: Obtained from your IdP application (See screenshot below)
  • grant_type: Set to =authorization_code
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
• "getUserInfoURL": Set to "https://graph.facebook.com/v14.0/me?"
  • fields: Set to =email

{
"name": "Facebook",
"loginIcon": "https://mysite/logos/facebook.256x256.png",
"loginUrl": "https://www.facebook.com/v14.0/dialog/oauth?client_id=616496163768891&redirect_uri=https://mysite/oauth/redirect&scope=email",
"authTokenURL": "https://graph.facebook.com/v14.0/oauth/access_token",
"authTokenURLRequestBody": "client_id=616496163768891&client_secret=9ee6cc364bdad30ed4a0d75487c21465&grant_type=authorization_code&redirect_uri=https://mysite/oauth/redirect",
"getUserInfoURL": "https://graph.facebook.com/v14.0/me?fields=email"
}

Okta

Properties/Attributes:

• "name": String with name of IdP
• "loginIcon": URL to your IdP logo
• "loginUrl": Base URL: Obtained from your IdP application + /oauth2/v1/authorize? (See screenshot below)
  • response_type: Set to =code
  • redirect_uri: URL to which the IdP server should redirect users after authentication. 
  • client_id: Obtained from your IdP application (See screenshot below) 
     
• "authTokenURL": Obtained from your IdP application + /oauth2/v1/token (See screenshot below)
• "authTokenURLRequestBody": 
  • client_id: Obtained  from your IdP application (See screenshot below)
  • client_secret: Obtained from your IdP application (See screenshot below)
  • grant_type: Set to =authorization_code
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
• "getUserInfoURL": Obtained from your IdP application + /oauth2/v1/userinfo (See screenshot below)

{
"name": "Okta",
"loginIcon": "https://mysite/logos/images/okta.256x256.png",
"loginUrl": "https://trial-3036531.okta.com/oauth2/v1/authorize?response_type=code&client_id=0oa5m587i2b0j2T7X697&redirect_uri=https://mysite/oauth/redirect&scope=openid%20email%20profile",
"authTokenURL": "https://trial-3036531.okta.com/oauth2/v1/token",
"authTokenURLRequestBody": "client_id=0oa5m587i2b0j2T7X697&client_secret=81YfiITWv6nxXXOn9Jf2QOza2Pzq0DSnnh7NMJna&grant_type=authorization_code&redirect_uri=https://mysite/oauth/redirect",
"getUserInfoURL": "https://trial-3036531.okta.com/oauth2/v1/userinfo"
}

IdentityServer4

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework specifically designed for ASP.NET Core applications. It provides centralized authentication logic, single sign-on capabilities, access control for APIs, and support for external identity providers like Azure Active Directory and Google.

Properties/Attributes:

• "name": String with name of IdP
• "loginIcon": URL to your IdP logo
• "loginUrl": Your server URL + /authorize/
  • client_id: As was set in your IdentityServer4 application (See screenshot below) 
  • redirect_uri: URL to which the IdP server should redirect users after authentication. 
  • scope: Set to =openid%20email%20profile
  • response_type: Set to =code
• "authTokenURL": Your server URL + /token
• "authTokenURLRequestBody": 
  • client_id: As was set in your IdentityServer4 application (See screenshot below)
  • client_secret: As was set in your IdentityServer4 application (See screenshot below)
  • grant_type: Set to =authorization_code
  • redirect_uri: URL to which the IdP server should redirect users after authentication.
• "getUserInfoURL": Your server URL + /userinfo

{
"name": "IdentityServer4",
"loginIcon": "https://mysite/logos/ids4.png",
"loginUrl": "https://myserver/myApplication/authorize?client_id=MyClientID&redirect_uri=https://mysite/oauth/redirect&scope=openid%20email%20profile&response_type=code",
"authTokenURL": "https://myserver/myApplication/token",
"authTokenURLRequestBody": "client_id=MyClientID&client_secret=MyClientSecret&grant_type=authorization_code&redirect_uri=https://mysite/oauth/redirect",
"getUserInfoURL": "https://myserver/myApplication/userinfo"
}

The management of user lists within SkylineGlobe Server (SGS) for both social and enterprise Identity Providers (IdPs) involves an initial step using a checker application that interfaces between the IdP and SGS. This application handles the authentication data from the IdP and uses the SGS API to determine if a user attempting to log in via an IdP already has an SGS account. Existing users are logged in automatically, while new users trigger the application to apply the organization's policies, which may include account creation, permission assignments, or access denial.

To add user accounts in bulk to SkylineGlobe Server (SGS), organizations can use a custom script. This script retrieves a list of users, along with details such as names, email addresses, and roles. See sample script below.

For enterprise Identity Providers (IdPs), the script pulls user data directly from the IdP's system. With social IdPs, it may need to gather user data from alternate organizational records or databases maintained by the organization.

After collecting the user data, the script uses the SGS API to create user accounts in SGS in bulk, setting user properties and permissions accordingly. This process should be repeated periodically to ensure the user database in SGS remains current, reflecting any organizational changes like new hires or departures.

<html>
<head></head>
<body onload = "init()">
<script language= "JavaScript">
 
var userName = "newUser";
var Password = "newPassword";
var siteName = "default";
var Role = "Publisher";
    function init(){
      fetch("http://127.0.0.1/" + siteName + "/ConnectSG", {
         "body": "{\n  \"request\": \"login\",\n  \"username\": \"admin\",\n  \"password\": \"password\",\n  \"isPersistent\": true\n}",
         "method": "POST",}).then((response) => response.json()).then((response) =>{if(!checkUser(userName)){addUser(userName, Password, siteName)} else return;/* if the user exists, redirect to TEF\SG\TED with the known credentials*/})};              
       
   function checkUser(userName){
      fetch("http://127.0.0.1/" + siteName + "/api/v1/user/get?userName=" + userName, {
      }).then((response) => response.json()).then((response) =>{if(response.result == "failed") return false; else return true;}); 
   }
   function addUser(userName, Password, siteName){
      fetch("http://127.0.0.1/" + siteName + "/api/v1/user/create?userName=" + userName + "&permissionType=" + Role + "&txtNewPW=" + Password, {
      }).then((response) => response.json()).then((response) => {if(response.result == "success") {/* redirect to TEF\SG\TED with the new credentials*/} else {alert("could not add"); /* redirect to TEF\SG\TED login */return;}}); 
   }
   
</script>
</body>
</html>