External IDP (explained)
IDP is an acronym for Identity Provider. An external IDP is an external application and service where you can store and manage user identity information and provide user authentication services to other systems. You can associate an external IDP with the XProtect VMS.
XProtect VMS supports external IDPs that are compatible with OpenID Connect (OIDC).
Claims (explained)
Claims form the link between the external IDP and the XProtect VMS.
A claim is a statement that an entity such as a user or an application makes about itself. In the XProtect VMS, a claim can be associated with a role that determine the users' XProtect permissions.
The claim is a key value consisting of a claim name and a claim value. For example, the claim name could be a standard name that describes the content of the claim value, and the claim value could be the name of a group. See more example of claims from an external IDP: Example of claims from an external IDP.
Enable users to log in to the XProtect VMS from an external IDP
-
From the external IDP, create the users. You must also identify the XProtect VMS and the interaction between XProtect and the external IDP. Finally, create the claims to identify users as external IDP users in the XProtect VMS.
-
From the XProtect VMS, create a configuration that enables the Identity Provider to contact the external IDP. For more information about how to create a configuration for an external IDP, see Add and configure an external IDP.
-
From the XProtect VMS, establish authentication of users by mapping the user claims from the external IDP to XProtect roles. For more information about how to map claims to roles, see Map claims from an external IDP to roles in XProtect.
Redirect URIs
The redirect URI specifies the page that the user is sent to after a successful authentication. In your external IDP, you must add the address of the management server followed by the Callback path you defined in XProtect Management Client. For example, https://management-server-computer.company.com/idp/signin-oidc
Unique user names for external IDP users
User names are created automatically for users that log in to Milestone XProtect via an external IDP.
The external IDP provides a set of claims to automatically create a name for the user in XProtect, and in XProtect an algorithm is used to pick a name from the external IDP that is unique in the VMS database.
Example of claims from an external IDP
The claims consist of a claim name and a claim value. For example:
|
Claim name |
Claim value |
|---|---|
| name | Raz Van |
| 123@domain.com | |
| amr | pwd |
| idp | 00o2ghkgazGgi9BIE5d7 |
| preferred_username | 321@domain.com |
| vmsRole | Operator |
| locale | en-US |
| given_name | Raz |
| family_name | Lindberg |
| zoneinfo | America/Los_Angeles |
| email_verified | True |
Using sequence number of claim to create user names in XProtect
In XProtect, the search priority for when creating a user in the XProtect VMS is controlled by the sequence number of the claims in the table below. The first available claim name will be used in the XProtect VMS:
|
Claim name |
Sequence number |
Description |
|---|---|---|
| UserNameClaimType | 1 | Configured mapping with one claim to define the user name. The claim is defined in the Claim to use to create user name field on the External IDP tab under Tools > Options. |
| preferred_username | 2 | Claim that can come from the external IDP. A standard claim that is normally used for this in Oidc (OpenID Connect). |
| name | 3 | |
| given_name family_name | 4 | Given name and family name in a combination such as Bob Johnson. |
| 5 | ||
| First available claim + #(first available number) | 6 | For example, Bob#1 |
Defining specific claims to create user names in XProtect
The XProtect administrators can define a specific claim from the external IDP that should be used to create a user name in the XProtect VMS. When an administrator define a claim to use for the creation of the user name in the XProtect VMS, the claim name must be written exactly as the claim name coming from the external IDP.
-
The claim to use for the user name can be defined in the Claim to use to create user name field on the External IDP tab under Tools > Options .
Deleting external IDP users
Users created in XProtect by an external IDP login are deleted the same way as a basic user and the user can be deleted at any time after the user is created.
If a user is deleted in XProtect and the user logs in again from the external IDP, a new user will be created in XProtect. However, the data associated with the user in XProtect such as private views and roles are lost and this information has to be created again for the user in XProtect.
If an external IDP is deleted in the Management Client, any users connected to the VMS via the external IDP are also deleted.