Authentication (SSO)¶
Generic OIDC¶
Prisme.ai is compatible with any OIDC provider like Google.
1. Register an app
First access your OIDC IdP back-office in order to register a Web OAuth2 client/app.
Configure the following authorized redirect URI :
https://api.studio.prisme.ai/v2/login/callback
Once created, note the following client informations :
- Client ID
- Client Secret
- Auth URL : the
authorization_endpoint
triggering authentication flow - Token URL : the
token_endpoint
to exchange authorization codes with an authentication token - Certificate URL : the
jwks_uri
endpoint returning IdP public certificates
jwks_uri
might not be showed with client details as it is generally global to the IdP (or at least to the customer tenant, like Auth0).
This URL can either return a standard JWKS or an object mapping kid
s to PEM certificate strings like Google.
Algorithm
For the moment, the only supported algorithm is RS256.
2. Create & configure a authProviders.config.yml
file
providers:
<ProviderName>:
type: oidc
config:
client_id: "your client id"
client_secret: "your client secret"
authorization_endpoint: "idp authorization_endpoint"
token_endpoint: "idp token_endpoint"
jwks_uri: "idp public certificates endpoint"
scopes: "openid email profile"
Although the choice is yours, name your ProviderName with care, as this name will be passed to front-end services & injected within user authData (along with user claims), making it potentially difficult to change afterwards.
You must replace <ProviderName>
by the actual name of your provider.
An optional config.scopes
field allow customizing requested scopes (& retrieved used claims by extension), which defaults to openid email
and must at least include openid
and email
.
You have to add the profile
scope if you wish to retrieve informations such as the first name and last name of your users.
3. Mount this configuration file to prismeai-api-gateaway
Mount this file as a volume inside prismeai-api-gateway
container at /www/services/api-gateway/authProviders.config.yml
You can customize this file location with AUTH_PROVIDERS_CONFIG
environment variable
4. Enable the provider within console & pages
In order to display & customize sign in buttons connecting to our freshly configured OIDC provider, add the following environment variable to prismeai-console and prismeai-pages microservices :
ENABLED_AUTH_PROVIDERS='[{"name": "local"}, {"name": "google", "label": "Google", "icon": "https://cdn.iconscout.com/icon/free/png-256/free-google-1772223-1507807.png"}]'
Configure name
, label
and icon
with the desired provider name, its display label & icon url.
If the local
provider is omitted, the standard user / password sign in form will not appear.
If you do not want the same IdP to be available between Prismai studio & workspaces pages, these 2 variables can also be differently configured between prismeai-console
and prismeai-pages
.
Authenticating from workspaces pages
Bear in mind that each workspace register itself as an OIDC client of your providers in order to allow users to connect from your workspaces pages.
These registrations happen on creation and update of a workspace, when they are made they register a redirect_uri
which contains the current PAGES_HOST
value.
While installing your platform you might change the value of PAGES_HOST
multiple time.
So, whenever you change your PAGES_HOST
, make sure to trigger a workspace update (example: change the description of the workspace and save) in order to trigger a new registration as client with the new PAGES_HOST
value.
Configuring Microsoft SSO¶
1. Register an app
First follow https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app in order to register an app in your Azure tenant.
- The application can be named "Prisme.ai" or whatever else, it doesn't matter.
- Select the desired Supported account types as it will restrict which microsoft accounts can log in the studio
- Its redirect URI must be set to Web platform & have the following value : https://api-gateway-url/v2/login/azure/callback
Note somewhere the application id as it will be the client id passed in environment variables.
2. Generate a secret
Click on Certificates & secrets under Manage menu & add a New client secret.
Keep longest expires time & Add.
Note somewhere the client secret value as it will be the client secret passed in environement variables.
3. Configure environment variables
In order to finish SSO configuration in api-gateway, its following environment variables must be set :
- AZURE_AD_CLOUD_INSTANCE_ID : https://login.microsoftonline.com/ or any private one
- AZURE_AD_TENANT : The tenant domain as found in Azure Active Directory > Primary domain (ex: YourCompany.onmicrosoft.com)
- In order to accept any organizational directory account, replace this value with organizations.
- In order to accept any organizational directory and personal Microsoft accounts, replace this value with common.
- In order to accept only Microsoft accounts only, replace this value with consumers.
- This must reflect the Supported account types option chosen when registering the app
- AZURE_AD_APP_ID : The application id retrieved in first step
- AZURE_AD_CLIENT_SECRET : The secret value retrieved in second step
Finally, add the following environment variable to console and pages microsevice :
- ENABLED_AUTH_PROVIDERS : azure
or
- ENABLED_AUTH_PROVIDERS :
[{"name":"custom","extends":"azure","label":{"fr":"Connexion avec custom","en":"Connect with custom"},"icon":"http://logo.png"}]