SSO Configuration

VoiceCheck

SSO is enabled during VoiceCheck installation for authentication. The installation wizard asks for the following items.

Name Description
Enable SSO Configuration Select Yes to enable SSO or select No to skip SSO setup.
Admin User Create the initial user. This user can then add additional VoiceCheck users after installation is complete.
Client Id ID assigned by SSO provider
Client Secret Secret assigned by SSO provider
Authentication URL Provider end point for authentication
Token URL Provider end point to obtain access token
Issuer URL Provider end point
JWKS URL Provided end point for token signature validation
Redirect URL VoiceCheck end point for login success, for example:
https://localhost:8443/VoiceCheck/core/
operator/default.action
User Info URL End point to get user details from SSO provider
Audience Optional provider provided setting
Logout URL Optional provider end point for user logout

Username Attribute

sub (Attribute in JSON response that contains username)

The default value for SSO_Scopes is openid, offline_access. This property may be modified in the voc_system_properties DB table.

M&I App

Before starting the application, edit the OnetimeStartupSettings.config file to set the SSO properties for the application. Copy this file to the following location file or use an MDM software to push the file to :

/Internal shared storage/Android/data/com.honeywell.sps.wfs.mandi/files/Configuration/OnetimeStartupSettings.config

Sample file:

{
    "Repositories": {
        "InspectionConfig": {
            "SecureConnections": "false",
            "WorkflowFilterChoice": "Server",
            "Host":"<Host>",
            "Port":"<Port>",
            "ClientId": "0oa1pune56qcbKhul0h8",
            "Scope": "openid email offline_access profile",
            "AuthFlow":"PKCE",
            "SingleSignOn":"true",
            "UserAttribute":"sub",
            "AuthorizationEndpoint":"<authorization url>",
            "TokenEndpoint":"<token url>",
            "UserInfoEndpoint":"<user info url>",
            "RevocationEndpoint":"<revocation endpoint url>"
        }
    }
}

The table below describes the possible entries for the OnetimeStartupSettings.config file.

Name Description Default
SingleSignOn Single Sign On, set to true to enable SSO (boolean) false
IssuerURL Provider end point (string)  
ClientId ID assigned by SSO provider (string)  
AuthFlow Authorization flow, either PKCE or NAPPS (string) PKCE
Scope Scope (string) openid profile email offline_access
TokenType Token type exhanged by provider JWT or Opaque (string) JWT
SupportRefresh If the identity provider supports refresh tokens (boolean) false
AuthProtocol Authorization protocol OAuth2.0, OAuth, SAML (string) OAuth2.0
IDPTokentime Time in seconds where the app is going to validate the access token with server (double) 14400
AuthorizationEndpoint URL to obtain auth token (string)  
TokenEndpoint URL to obtain the acces/refresh token (string)  
UserInfoEndpoint URL to obtain information from the user (string)  
RevocationEndpoint URL to revoke the access/refresh token (string)  
EndSessionEndpoint URL to clear cookies in browser for access/auth token (string)  
UserAttribute The attribute to be sent to the VoiceCheck server as operator (it has to be identical to the one configured by the server) (string)  

Next enable Single Sign On from the Settings screen of the M&I App.

To switch from basic authentication to SSO, the app must be unistalled and then reinstalled.

This SSO workflow is as follows:

  1. User starts the mobile app and clicks to login.
  2. The mobile client redirects to the IDP via the Callback URL entered above and exchanges certificates.
  3. The IDP authenticates the user via the login and consent responses.
  4. The IDP returns tokens for the authentication process.
  5. The app uses the token to authenticate requests to the server.

Error Handling

VoiceCheck

Review the notifications table for errors related to SSO. This table is viewable by selecting Administration > Notifications.

M&I App Errors

The identity provider may display error messages when there is a problem with the sign on.

Type Message Details
Error

Missing/incorrect SSO parameters. Verify the parameters with the administrator

The user has not entered all the parameters via the OneTimeStartupSettings.config file needed for the sign on process: callback URL, client ID
Error Error during the sign-in process. Contact your administrator Authorization code validation failed, the state sent in the request auth is different from the one obtained in the response of the request auth
Error Error during the sign-in process. Contact your administrator Malformed generated exchange request
Error Missing/incorrect SSO parameters. Verify the parameters with the administrator Unknown scope sent in the auth request in the IDP

Error

Error during the sign-in process. Contact your administrator Incorrect parameters in the access request
Error Error during the sign-in process. Contact your administrator Failed getting the access request
Error Error during the sign-in process. Contact your administrator The userinfo endpoint does not contain the required sub parameter to get the user information
Information Not implemented functionality When the user enters a different authorization protocol in the OneTimeStartupSettings.config, only PKCE is currently supported
Warning User has canceled the sign-in. Try again The user has canceled the sign in process, for example closed the IDP credentials page
Warning User has not consented the usage of its information The user has not consented to the usage of information by M&I, in the consent screen, the user clicked on not consent