Add an OpenID IDMS
OpenID Connect (OIDC) Implicit Flow can be used for user authentication and single sign-on (SSO) access to Kion.
Implicit Flow does not share any secret data, so Kion will not have access to secret data from your OpenID identity provider. A client ID is required for configuration, but this is an identifier only and does not provide access to your OpenID provider.
For more information about how OpenID works, see their site: OpenID Foundation.
Configuring your OpenID Provider
Before configuring your IDMS in Kion, you must create a new application in your OpenID provider to obtain a client ID.
- Configure or request a new OpenID Implicit Flow application in your OpenID provider.
- Gather the following information from your OpenID provider:
- Client ID. This is a unique ID for the application you configured.
- (Recommended) Well-Known Configuration URL. Many identity providers have a public OpenID configuration containing the metadata needed to configure an IDMS. If your OpenID provider does not provide a Well-Known Configuration, you can choose to manually configure the IDMS in Kion instead.
More information can be found in your OpenID provider's documentation.
Adding a New OpenID IDMS in Kion
- In Kion, navigate to Users > Identity Management Systems.
- Click Add New.
- For the IDMS Type, select OpenID (implicit flow).
- Enter a name to describe the IDMS. Users see this name when selecting the IDMS on the Kion login page.
- Enter the Client ID for the Kion IDMS application you made in your OpenID provider.
- Select whether you would like to import a Well-Known Configuration to automatically configure your IDMS or if you would like to configure it manually.
Many identity providers have a public OpenID configuration containing the metadata needed to configure the IDMS. You can choose to use one of these Well-Known Configurations to automatically configure your IDMS in Kion.
To import the configuration, enter the public configuration URL provided by your identity provider. This can often be found by searching for their name + well-known configuration.
- For the Issuer, enter your OpenID provider's public login endpoint.
- For the Authorization Endpoint, enter your OpenID provider's public authentication endpoint.
- For the JWKS URI, enter your OpenID provider's public JSON Web Key Set (JWKS) endpoint.
Information on these values can be found in your OpenID provider's documentation.
Scopes
Scopes define which claims are available when a user logs in. There may be a scope for including first and last name, a different one for providing phone number and email, and another for address information. These are used for determining user group associations and access rules.
Available claims depend on your OpenID provider.
For detailed information on scopes and examples, see OpenID's documentation: Scope Values.
Assertion Mapping
- For the First Name, enter the field from the IDP that will be mapped to the user first name (
first_name
). - For the Last Name, enter the field from the IDP that will be mapped to the user last name (
last_name
). - For the Email, enter the field from the IDP that will be mapped to the user email (
email
). - For the Phone Number, enter the field from the IDP that will be mapped to the user phone number.
- For the Username field, enter the field from the IDP that will be mapped to the user username (
username
).
Access Rules
Access rules set the level of console access available to users. If no access rules are specified, then all users have Full Access.
For information on which claims can be used and examples, see OpenID's documentation: Claims.
- Full Access. Users may use cloud access roles to access the cloud consoles. This access only applies to cloud access roles, not other functions within Kion.
-
No Cloud Account Access. Users can log in and use the Kion application, but they cannot access any cloud accounts.
This is useful if you allow users to log in with a SmartCard instead of a password. Typically, users with a SmartCard would be granted Full Access while users with just a password would be granted No Cloud Account Access.
- No Access. Users are not allowed to log into Kion.
Service Provider Icon
You can upload a custom icon to show on the login screen next to this IDMS.
You can also select if you would like to hide this IDMS as an option on the login page.
User Group Associations
Automatically add users to user groups in Kion based on OpenID provider claims. This is useful for dynamically determining user permissions. For more information, see User Group Associations.