Multiple Identity Providers (IDPs) for OpenID Connect

As of May 2024 release, a new option has been added to the dashboard to support multiple external identity providers.

Prior to May 2024:

The dashboard only supported one set of identity provider credentials for OpenID Connect, which were applied at the global level, configured under ‘Global Variables’ in the dashboard configuration panel. For reference:

Screenshot from 2024-04-29 10-01-05.png

With this approach, one set of IDP configuration was applied to all users.

A single IDP configuration option through OAUTH variables will eventually be deprecated. Therefore, we advise the users to complete the manual migration of moving their OAuth setup from Global Variables to Identity Providers section in the dashboard configuration or using our API to create a new entry.

May 2024 onwards:

New functionality has been added to allow to configure multiple Identity Providers (IDPs) in the dashboard either through the UI or API. With this approach, different sets of users can use different IDP configurations.

UI:

A new tab has been added to the Settings screen, allowing users to create OpenID Connect configuration for multiple providers.

Single IDP panel example:

Screenshot from 2024-04-29 10-09-40.png

Multiple IDPs example:

API:

Eight new API endpoints have been added to help manage the new Identity Provider configurations. These endpoints are documented on our SwaggerHub page and listed below:

  • GET /identityProviders - Gets all Identity Providers

  • POST /identityProviders - Creates a new Identity Provider

  • GET /identityProviders/{id} - Gets a specific Identity Provider

  • DELETE /identityProviders/{id} - Deletes a specific Identity Provider

  • PUT /identityProviders/{id} - Modifies an Identity Provider

  • POST /identityProviders/bulk - Creates multiple Identity Providers

  • DELETE /identityProviders/bulk - Deletes multiple Identity Providers

  • DELETE /identityProviders/all - Deletes all Identity Providers

 

Option

Explanation

Option

Explanation

Identifier

A simple alphanumeric string used as a query parameter in the dashboard URL. It will be utilised to identify the correct Identity Provider to use to login to the dashboard (e.g. https://localhost:8224/pi/?idp=microsoft).

Enabled

The enabled status of the Identity Provider

Discovery Domain

OpenID Connect discovery domain e.g. https://login.microsoftonline.com/TENANT/v2.0 (without /.well-known/openid-configuration); if used, Auth URL and Token Endpoint values will be disabled/ignored

Auth URL

The authorization url the user will be redirected to; if used, Discovery Domain field will be disabled/ignored

Token Endpoint

Token api endpoint; if used, Discovery Domain field will be disabled/ignored

Key ID

A unique ID provided by an OpenID Connect service to authenticate your application

Key Value

A secret value known only to your application and the OpenID Connect service for secure communication and authorisation

The field can be set via POST and updated via PUT via the API but will not be shown. In the UI, Key Value is hidden

Email Claim Name

The name of the claim to use to retrieve the logging in user's email address

Scope

Space separated list of scopes which will be supplied to the IDP

Logout URL

Custom URL for logging out; if present, will attempt integrated logout

Bypass Login Screen

Enable to bypass the login screen and attempt auto login

Open in Pop-up

Open ID log in will utilise a pop-up window for the log in request

General Rules:

  • Each IDP configuration must have a unique Identifier which can be used as a query parameter in the URL to resolve the correct IDP to be used

  • IDP Identifier field only accepts alphanumeric values

  • If there is only one IDP entry in the system, the users don’t need to specify the correct identifier in the URL; the dashboard will automatically resolve to using the defined IDP as long as it’s enabled

  • If there are multiple IDP entries saved in the database, the users will be expected to specify the Identifier of the Identity Provider they wish to use in the URL

  • If there are no IDP entries configured in system, the dashboard will fallback to using the old single IDP implementation through OAUTH variables if one is configured and enabled

To specify an IDP to use, the Identifier will need to be added as a query parameter to your dashboard URL, e.g:

https://pi-dash.uk:8224/pi/?idp=identifierValue

Example of the configuration:

  1. You have the below IDP configured in the dashboard with ‘okta’ being the identifier for your IDP setup:

 

  1. You wish to use your ‘okta’ configuration for a set of users, therefore, you change the dashboard URL to include the identifier: