Webadmin supports multiple identity providers in order to manage authentication of users. Each one can function in a completely different way and has its own configuration parameters.
It can be configured to accept one single provider in a first accepted authentication mode, or to required all providers to be authenticated to allow the user.
Each provider uses different types of credentials, so each provider you add can have significant impact on the Logon UI. Some may ask for the traditional Username+Password, while others require external URL navigation or hardware keys to be used.
The simplest one and default provider. Its a simple User+Pass authentication against the user database. Its passwords are save as one-way hashes in the database and are not recoverable.
The is one of the most standard external authentication protocols. It redirects the user to an external login page. It requires application registration in that provider, with the procedures varying between providers.
If your organization does not support the token endpoint then you can leave the Token Endpoint and Secret configurations blank in WebAdmin. This is not a secure way to authenticate and the JWT send back to the application callback, directly from the provider, is vulnerable to interception and spoofing attacks.
Each user needs to associate its account name to the external Id. This means that each user needs a primary provider like QuidgestIdentityProvider to first make that registration in his user profile page.
In alternative, in WebAdmin, you can configure the UserFieldId to a field where the external provider returns an email, and preset each user with that email. Each provider may return this information in a different field.
https://<host>/auth/OpenIdConnectLogin/<id>
https://<host>/auth/OpenIdConnectRegister/<id>
<id>
is the unique id name you should configure in your provider in webadminhttps://<host>/auth/OpenIdConnectLogin/<id>
https://<host>/auth/OpenIdConnectRegister/<id>
These documented endpoints are subjected to future change, so make sure you confirm they are up to date.
This provider is very similar to the OpenIdConnect but the protocol does not follow the same standards. Registration is handled by request on a case by case basis, so the procedure will depend on those communications.
You will need to gather the Client Id, the Authorization Endpoint and the Token information Endpoint. You should then configure the UserIdField you want to fetch from the Token response to match your internal users.
You test environment endpoints should look something like:
This provider currently only works with Portuguese authority.
This provider connects to Apereo CAS protocol 3.0 to allow SSO authorization flows.
The configuration is highly dependent on version but you need to register your callback function as an authorized CAS service:
https://<host>/auth/CAS/<id>
For the WebAdmin configuration:
For testing its recommended to use the CAS docker image. Instructions for setup are included in the CASIdentityProvider source code.