<script> AJS.toInit(function(){ if (AJS.params.remoteUser == ''){ AJS.$('#header').hide(); AJS.$('#main-header').hide(); } }); </script> <iframe id="topheader" src="https://www.targit.com/layouts/targit13/doc_confluence.aspx" scrolling="no" style="width:100%;height:467px;overflow:hidden;scrolling:no;"></iframe> |
TARGIT can now delegate user authentication to external identity providers such as Azure, ADFS, Google etc.
OpenID is increasingly becoming a standard for user authentication. Organizations that already embrace this technology will be delighted to learn that TARGIT now also supports this.
Disclaimer: Administrators working with setting TARGIT up for OpenID user authentication will need to know in advance how to work with the interface of the external identity provider of choice.
When you add a new external identity provider to your TARGIT solution, these are the general steps to take:
Before adding an external identity provider, make sure that Public URLs for the TARGIT Server and the Anywhere component are set up correctly. This is done in the TARGIT Management client, in Setup / Back-end:
Note: Replace “localhost” with the correct server name or IP address within your organization. Also note that the Anywhere component (on the IIS) and the TARGIT server are not necessarily installed on the same server.
The OpenID authentication method has become a new option in the TARGIT Management client’s Security settings:
The Identity Providers dialog lets you add one or more identity providers to the list.
When you add a new Identity Provider, you must fill in its’ settings in the IdentityProviderEditor dialog:
Example on a filled in Identity Provider for Azure OpenID:
The icon and the name is what the end-user will see when logging on to a TARGIT client.
An Identity Provider’s associated script is essential for, at least, the mapping between the external identity provider’s AD users and groups and the internal AD users and groups.
You will need to know the SIDs from both sides.
Example on a script related to an Azure OpenID identity provider:
Use the “Test Login” option to login as one of the authenticated users. The information you get in return can be used for filling parts of your script, e.g. a group SID.
Furthermore, once you have done a Test Login and potentially modified your script, you can then “Run” the script. This will do the mapping and, in Outputs, give you additional information about the user, based on the internal AD.
Now that this user has been mapped from an external identity provider group to an internal AD group (and assuming that internal AD groups already have been added to TARGIT roles), you can then Look up user permissions to get an overview of the user’s effective permissions with regard to access to documents folders, databases, forced criteria etc.
Alternatively, if your internal AD does not hold the corresponding groups required for mapping to the groups of the identity provider's AD, you can simply add the necessary group information manually in the TARGIT Management client.
E.g., if you have some identity provider users that are members of an identity provider group, and you want that group's members to log on to TARGIT with specific rights and specific roles, you can simply add a new manual group as a member to the Rights and Roles definitions.
Even if you do have the corresponding groups in your internal AD, it may be easier to use the IDs from the manually created groups, rather than trying to retrieve IDs from your internal AD.
For an existing identity provider, you may:
The solution is based on OpenID Connect, where the user's identity is encoded in a secure JSON Web Token (JWT), called an ID token, based on the standard OAuth 2.0 flow.
The ID token resembles the concept of an identity card, in a standard JSON Web Token (JWT) format, signed by the Identity Provider. An ID token has a limited lifetime (e.g. 30 minutes), so a Refresh token is also provided that can be used to query for a new ID token. The Refresh Token will be necessary for e.g. running scheduled jobs, because we "simulate" a user login.
Authentication will take place at the Identity Provider in two steps.
First step is to request an Authorization Code from the Identity Provider, for that the TARGIT client will use a trusted agent (browser) separate from the TARGIT application. The browser (standard system browser) will handle the dialogue that send the End-User to the chosen Identity Provider.
At the Identity Provider, the End-User will typically be authenticated by checking if they have a valid session (established by a browser cookie), and in the absence of that, by prompting the user to login. After that the user will typically be asked whether they agree to sign into TARGIT.
The TARGIT client will pass the Authorization Code to the TARGIT Server which in step two will do a “back-end” authorization against the Identity Provider, and in exchange for the Authorization Code receive an ID token and the Refresh token. The ID token will be security validated by TARGIT
Functionality TARGIT Management:
In TARGIT Management there will be added an additional security model “OpenID”.
In the “OpenID” security model you will be able to specify/“add” which Identity Provider that you want to trust. For custom Identity Provider you will be able to define a URL with the address of the custom Identity Provider and request parameters in the URI query.
To integrate OpenID into our rights/role-based security model, it should be possible to define certain rules on each right/role that determine if the right/role will be active for a given user. These rules could be something like: if the value of claim x equals y, then this right/role should be active. The administrator can then create several rights/roles that defines what each user can do - based on the contents of their ID token.
Functionality TARGIT Client:
When an end-user log into TARGIT, the TARGIT Client should be responsible for launching the browser to initiate the OpenID connect login. When an Authorization Code is received, it should be handed to the TARGIT Server where the actual token handling takes place.
Functionality TARGIT Server:
The TARGIT Server will be the only one knowing the client secret, therefore the actual handling of the ID token and Refresh Token will take place here. Each right and role will be checked to see if any of the OpenID rules are met. After rights and roles have been determined, we will issue our own security token to the TARGIT Client to be used internally.
In this example, you already have an Azure portal account and your Azure AD is already set up with a number of users and groups.
Azure:
i. Apply a proper name (can be changed later) and Register
ii. Copy and store the Application (client) ID. You will need this later.
i. Microsoft Graph
ii. Delegated permission
iii. Checkmark Group.Read.All
iv. Click the Add permissions button at bottom.
i. "groupMembershipClaims": "All",
TARGIT:
i. Authorization Endpoint
ii. Token Endpoint
iii. Scope
Azure:
<style type="text/css"> #title-text { display: none;} #breadcrumbs, #footer, #likes-and-labels-container, #comments-section { display:none; } div.theme-default .ia-splitter #main { margin-left: 0px; } .ia-fixed-sidebar, .ia-splitter-left { display: none; } div#main { margin-left: 0px !important; } div#footer { margin-left: 0px !important; } .columnLayout.two-equal { padding-left: 20px; padding-right: 20px } #main #content { padding-right:0px; } div#main { padding:0px; } #page { overflow-x: hidden; } iframe#topheader { border:0px; } .contentLayout2 .columnLayout { margin-bottom:0px; } #workflow-page-message { margin-bottom: 0px; } </style> <script src="//cep.targit.com/bundle/beacon"></script> <div class="Footer" style="background-color: #1d252d;width:100%;"> <div class="loop" style="padding-top:69px;padding-bottom:72px;text-align:center;"> <img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/TARGIT_OODA-jigsaw-start-screen.svg" style="margin-bottom:32px;width:100px;"> <div style="font-size:24px;line-height:32px;letter-spacing:0.6px;color:#fff;"> Courage to Act </div> </div> <div style="width:100%;background-color:#121a23;"> <div style="width:1080px;margin:auto;padding-bottom:20px;padding-top:20px;"> <div style="float:left;font-size:13px;color:#8a9298;"> <div style="margin-top:5px;display:inline-block;padding-right:30px;color:#8a9298;"> © 2019 TARGIT. All Rights Reserved. </div> <a style="margin-top:5px;display:inline-block;text-decoration:none!important;color:inherit;font-size:13px;" href="https://www.targit.com/en/personal-data-policy">Personal Data Policy</a> </div> <div style="float:right;"> <a style="vertical-align:super;font-size:13px;letter-spacing:0.6px;margin-right:36px;color:#fff;text-decoration:none!important;text-transform:uppercase" href="https://www.targit.com/en/meet-targit/meet-the-targit-team/contact-targit">CONTACT</a> <a style="vertical-align:super;font-size:13px;letter-spacing:0.6px;margin-right:36px;color:#fff;text-decoration:none!important;text-transform:uppercase" href="https://www.targit.com/en/meet-targit/targit-news/news-list">PRESS</a> <a style="vertical-align:super;font-size:13px;letter-spacing:0.6px;margin-right:36px;color:#fff;text-decoration:none!important;text-transform:uppercase" href="https://www.targit.com/en/meet-targit/targit-career/jobs">CAREERS</a> <a style="margin-right: 36px !important;text-decoration: none !important;color: inherit;" href="https://twitter.com/targit" target="_blank"><img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/twitterfooter.png"></a> <a style="margin-right: 36px !important;text-decoration: none !important;color: inherit;" href="https://www.linkedin.com/company/targit" target="_blank"><img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/linkedinfooter.png"></a> <a style="margin-right: 36px !important;text-decoration: none !important;color: inherit;" href="https://www.facebook.com/TARGIT.BI.Suite" target="_blank"><img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/fbookfooter.png"></a> </div> <div style="float:none;clear:both;"></div> </div> </div> </div> |