Configuring Single Sign-On (SSO)

This document covers following topics:


General Information

Natural for Ajax supports SSO with OpenID Connect. OpenID Connect is now the leading standard for single sign-on on the Internet. The user authentication is delegated to a central Identity Provider (IdP) service. This can be a public IdP like Google and Microsoft or an enterprise internal IdP.

When starting a Natural for Ajax application, Natural for Ajax will redirect the user to the IdP. In case the user is already logged in at the IdP, no login screen will appear. If the user is not yet logged in at the IdP, the IdP will open a corresponding login dialog. For Natural for Ajax it is absolutely transparent how the users are authenticated, it is all up to the IdP. In case of a successful authentication, Natural for Ajax will receive a valid token from the IdP. This token is used for the login to the Natural server.

Prerequisite is a Natural server environment, which supports SSO with OpenID Connect. For the corresponding Natural versions and configuration requirements see the Natural documentation.

As described above, a token is used for the login to the Natural server. Among other information, the token contains claims about the user such as email. In the Natural for Ajax Session Configuration you need to specify which of the claims should be used as a Natural username. This claim must be included in the token. Therefore, you may also want to configure which claims should be part of the token. These include the claims Natural for Ajax should request from the IdP and the details for how Natural for Ajax should request the claims. You can configure all this in the global settings of the session configuration. For details about claims please see the list of Standart Claims and the documentation of your IdP.

SSL/TLS Configuration

OpenID Connect requires the usage of SSL/TLS. You must provide a trustfile with a valid certificate for the connection between the Natural for Ajax client and the Natural Web I/O Interface server as described in the Configuring SSL documentation.

For OpenID Connect, you must also put the certificate of your IdP into the same trustfile.

Configuring OpenID Connect Usage

To configure the OpenID Connect:

  1. Invoke the Natural for Ajax runtime tools and choose Session Configuration.

  2. Define the OpenID Connect settings for your IdP in the global settings for all defined sessions.

You can only configure one IdP per Natural for Ajax application but the single sessions may be a mix of sessions which use OpenID Connect and sessions which don’t use OpenID Connect.

To enable OpenID Connect for a single session:

  1. Switch on SSL in the Natural Connection tab.

  2. Switch on OpenID Connect (OIDC) in the Authentication tab.

Configuring your Identity Provider (IdP)

Your IdP requires you to set valid redirect URIs for your application. These are the allowed URIs to which a browser can redirect after a successful login at the IdP. In case the URI for your web application is https://mywebapplication you need to set the following URIs as valid redirect URIs in your IdP:

  • https://mywebapplication/servlet/OpenidConnectRequest

  • https://mywebapplication/servlet/OpenidConnectRequest?subpage=true

When using the Natural for Ajax subpage or workplace functionality, you also need to allow the following CORS origin in your IdP:

https://mywebapplication