In this article, you will get information on how to configure SSO with Finmatics.
Content
- What are the prerequisites?
- Setup in Microsoft Azure
- Configuration of user authorisations and administration
What are the prerequisites?
- OIDC authorization endpoint:
This endpoint is used to identify and verify users. Example for Azure Active directory: https://login.microsoftonline.com/{UUID}/oauth2/v2.0/authorize - OIDC token endpoint:
This endpoint is used to create and refresh tokens in order to communicate with the SSO provider. Example for Azure Active directory: https://login.microsoftonline.com/{UUID}/oauth2/v2.0/token - OIDC user endpoint:
This endpoint is used to get user information. Example for Azure Active directory: https://graph.microsoft.com/oidc/userinfo - OIDC jwks endpoint:
This endpoint is used to get the necessary JSON Web keys. Example for Azure Active directory: https://login.microsoftonline.com/{UUID}/discovery/v2.0/keys - OIDC scopes:
This is used to set the scope of the data sent to the Authorization server. Example for Azure Active directory:-
openid: this field is required, indicates that we want to verify a users identity through OIDC
- profile: gives access to the username
- email: gives us access to the e-mail address. If there are multiple email addresses in use (e.g. localized) please let us know the scopes and which should be used for the login and user creation
-
- OIDC client secret:
This is the secret that Finmatics uses like a passwort to communicate with the SSO provider - OIDC client id:
This is the client that Finmatics uses like a username to communicate with the SSO provider - OIDC sign algorithm:
This determines which algorithm is used to sign the token and is determined by the SSO provider - Auth provider group name/Token:
For most providers, users can be assigned to different groups, which makes it possible to assign them different permissions. These groups can also be set up in Finmatics to ensure that a user always has the needed and necessary permissions. It is also possible to create a default group for all users. Example Azure Active directory (UUID): 11111111-2222-3333-4444-555555555555
Setup in Microsoft Azure
Create new Application
-
In the Azure Portal search for “App registrations" - "New Registration"
-
Choose the name of the application
-
Supported account types: Select "Accounts in this organizational directory only - (Single Tenant)"
Redirect URI:
-
Platform: Web
-
URI: This is the branded Domain that is used to access Finmatics e.g. https://BRANDING.DOMAIN.XYZ/api/oidc/callback/
-
URI: For the mobile App the will need a second one which is always:
https://api.finmatics.com/api/oidc/callback/
Click "Create" which then directs you to the application.
Information needed by Finmatics:
-
Application Client ID
Create Client Secret
Create a new client secret via "Certificates and Secrets" - "New client secret" and fill in the following fields:
-
Choose description
-
Choose duration
-
Client-Secret Value
-
Client-Secret Expiration Date
The new client secret is only shown once, be sure to copy the value immediately.
Token Configuration
Choose "Token Configuration" - "Add groups claim" - "Security groups" and "Add"
Information needed by Finmatics:
-
Token for every individual group
Endpoint Informationen
Look for the configuration in "Overview" - "Endpoints"
Information needed by Finmatics:
-
OpenID Connect metadata document
Create Security Groups and add Members
Open "Groups" and create a new group via ‘New group’. Select the group type ‘Security’. Members of this group will be assigned respective permissions in Finmatics.
-
Group Object Id
Configuration of user authorisations and administration
Complete the Excel document linked below and send it back to Finmatics so that the relevant groups and user authorisations can be configured: