External IDP tab (options)
On the External IDP tab in Management Client, you can add and configure an external IDP and register claims from the external IDP.
|
Name |
Description |
|---|---|
| Enabled |
The external IDP is by default enabled. |
| Name |
The name for the external IDP. The name appears in the Authentication field in the log-in window of your client. |
| Authentication authority | The URL of the external IDP. |
| Add | Add and configure an external IDP. When you select Add, the External IDP dialog box opens and you can enter the information for the configuration, see Configure an external IDP below the table. |
| Edit | Edit the configuration of the external IDP. |
| Remove |
Remove the external IDP configuration. If you remove an external IDP configuration, the users that are authenticated via this external IDP will not be able to log in to the XProtect VMS. If you add the external IDP again, new users will be created on log in because the ID of the external IDP has changed. |
Configure an external IDP
-
To add an external IDP, select Add in the External IDP section and enter the information in the table below. You can only add one external IDP:
|
Name |
Description |
|---|---|
| Name | The name for the external IDP that you enter here appears in the Authentication field in the log in window of your client. |
| Client ID and Client secret | Must be obtained from the external IDP. The client ID and the client secret are needed to communicate securely with the external IDP. |
| Callback path |
Part of a URL for the authentication redirect flow to sign in users. The user sign-in flow is initiated in the XProtect VMS. A browser is launched with a sign-in page that is hosted by the external IDP. When the authentication process is completed, the callback path (XProtect login address + /idp/ + callback path), is invoked and the user is redirected to the XProtect VMS. The default value is “/signin-oidc”. The redirect format The callback path is constructed by the login address entered in the client + /idp/ + the callback path configured on the external IDP. The URI is client specific so URIs for, for example, Smart Client and XProtect Web Client will be different. The management server address is the address that you enter in the login dialog box in Smart Client or XProtect Management Client. For the XProtect Web Client and the XProtect Mobile, the redirect address is the entered address + port + /idp/ + callback path. |
| Prompt for login |
Specify to the external IDP if the user should stay logged in or if a verification of the user is required. Depending on the external IDP, the verification can include a password verification or a full log-in. |
| Claim to use to create user name |
Optionally, specify which claim from the external IDP that should be used to generate a unique user name for the auto-provisioned user in the VMS. For more information about unique user names crated by claims, see Unique user names for external IDP users. |
| Scopes | Optionally, use scopes to limit the number of claims that you get from an external IDP. If you know that the claims that are relevant for your VMS are in a specific scope, you can use the scope to limit the number of claims that you get from the external IDP. |
Register claims
When you have registered claims from the external IDP, you can map the claims to roles in the VMS to determine the user privileges in the VMS. For more information, see Map claims from an external IDP.
-
To register claims from an external IDP, select Add in the Registered claims section and enter the information in the table below:
|
Name |
Description |
|---|---|
| External IDP | The name of the external IDP. |
| Claim name |
Name of the claim as it was defined in the external IDP. In this field, the claim name must be entered exactly as it is set in the external IDP. The claim name does not appear anywhere else in the Management Client. |
| Display name | The display name of a claim. This is the name that you will see in the roles setup in Management Client. |
| Case sensitive |
Indicates whether the value of a claim is case sensitive. Examples of values that are typically case sensitive: - Textual representations of IDs such as a guid: F951B1F0-2FED-48F7-88D3-49EB5999C923 or OadFgrDesdFesff= Examples of values that are typically not case sensitive: - E-mail addresses . |
| Add, Edit, Remove |
Register and maintain claims. If you modify a claim at the external IDP web site, a new log in to the XProtect client is required by the users. Say, that a user, Bob, needs to be, for example, Operator. The claim is then added to Bob at the external IDP web site, but if Bob is already logged in to XProtect, he must complete a new login for the change to take effect. |
Add redirect URIs for the web clients
The redirect URI is the location where the user is redirected after a successful log in. The redirect URIs must be an exact match of the addresses of the web clients. For example, you will not be able to log in via an external IDP if you open XProtect Web Client from https://localhost:8082/index.html and the redirect URI for the web clients you added is https://127.0.0.1:8082/index.html.
|
Name |
Description |
|---|---|
| URI |
The URI of XProtect Web Client in the format https://[mobile server]:[port]/index.html. The redirect URIs are not case sensitive. Enter a redirect URI for each of the addresses that can be used to access the XProtect Mobile server / XProtect Web Client. For example, the redirect URIs might be used both with and without the domain details.
|
| Add, Edit, Remove |
Register and maintain redirect URIs. When you remove URIs, you must keep at least one redirect URI for the system to work. |