SSO Configuration
VoiceCheck
SSO is enabled during VoiceCheck installation for authentication. The installation wizard asks for the following items.
| Name | Description |
|---|---|
| Enable SSO Configuration | Select Yes to enable SSO or select No to skip SSO setup. |
| Admin User | Create the initial user. This user can then add additional VoiceCheck users after installation is complete. |
| Client Id | ID assigned by SSO provider |
| Client Secret | Secret assigned by SSO provider |
| Authentication URL | Provider end point for authentication |
| Token URL | Provider end point to obtain access token |
| Issuer URL | Provider end point |
| JWKS URL | Provided end point for token signature validation |
| Redirect URL | VoiceCheck end point for login success, for example: https://localhost:8443/VoiceCheck/core/ operator/default.action |
| User Info URL | End point to get user details from SSO provider |
| Audience | Optional provider provided setting |
| Logout URL | Optional provider end point for user logout |
|
Username Attribute |
sub (Attribute in JSON response that contains username) |
The default value for SSO_Scopes is openid, offline_access. This property may be modified in the voc_system_properties DB table.
M&I App
Before starting the application, edit the OnetimeStartupSettings.config file to set the SSO properties for the application. Copy this file to the following location file or use an MDM software to push the file to :
/Internal shared storage/Android/data/com.honeywell.sps.wfs.mandi/files/Configuration/OnetimeStartupSettings.configSample file:
{
"Repositories": {
"InspectionConfig": {
"SecureConnections": "false",
"WorkflowFilterChoice": "Server",
"Host":"<Host>",
"Port":"<Port>",
"ClientId": "0oa1pune56qcbKhul0h8",
"Scope": "openid email offline_access profile",
"AuthFlow":"PKCE",
"SingleSignOn":"true",
"UserAttribute":"sub",
"AuthorizationEndpoint":"<authorization url>",
"TokenEndpoint":"<token url>",
"UserInfoEndpoint":"<user info url>",
"RevocationEndpoint":"<revocation endpoint url>"
}
}
}The table below describes the possible entries for the OnetimeStartupSettings.config file.
| Name | Description | Default |
|---|---|---|
| SingleSignOn | Single Sign On, set to true to enable SSO (boolean) | false |
| IssuerURL | Provider end point (string) | |
| ClientId | ID assigned by SSO provider (string) | |
| AuthFlow | Authorization flow, either PKCE or NAPPS (string) | PKCE |
| Scope | Scope (string) | openid profile email offline_access |
| TokenType | Token type exhanged by provider JWT or Opaque (string) | JWT |
| SupportRefresh | If the identity provider supports refresh tokens (boolean) | false |
| AuthProtocol | Authorization protocol OAuth2.0, OAuth, SAML (string) | OAuth2.0 |
| IDPTokentime | Time in seconds where the app is going to validate the access token with server (double) | 14400 |
| AuthorizationEndpoint | URL to obtain auth token (string) | |
| TokenEndpoint | URL to obtain the acces/refresh token (string) | |
| UserInfoEndpoint | URL to obtain information from the user (string) | |
| RevocationEndpoint | URL to revoke the access/refresh token (string) | |
| EndSessionEndpoint | URL to clear cookies in browser for access/auth token (string) | |
| UserAttribute | The attribute to be sent to the VoiceCheck server as operator (it has to be identical to the one configured by the server) (string) |
Next enable Single Sign On from the Settings screen of the M&I App.
To switch from basic authentication to SSO, the app must be unistalled and then reinstalled.
This SSO workflow is as follows:
- User starts the mobile app and clicks to login.
- The mobile client redirects to the IDP via the Callback URL entered above and exchanges certificates.
- The IDP authenticates the user via the login and consent responses.
- The IDP returns tokens for the authentication process.
- The app uses the token to authenticate requests to the server.
Error Handling
VoiceCheck
Review the notifications table for errors related to SSO. This table is viewable by selecting Administration > Notifications.
M&I App Errors
The identity provider may display error messages when there is a problem with the sign on.
| Type | Message | Details |
|---|---|---|
| Error |
Missing/incorrect SSO parameters. Verify the parameters with the administrator |
The user has not entered all the parameters via the OneTimeStartupSettings.config file needed for the sign on process: callback URL, client ID |
| Error | Error during the sign-in process. Contact your administrator | Authorization code validation failed, the state sent in the request auth is different from the one obtained in the response of the request auth |
| Error | Error during the sign-in process. Contact your administrator | Malformed generated exchange request |
| Error | Missing/incorrect SSO parameters. Verify the parameters with the administrator | Unknown scope sent in the auth request in the IDP |
|
Error |
Error during the sign-in process. Contact your administrator | Incorrect parameters in the access request |
| Error | Error during the sign-in process. Contact your administrator | Failed getting the access request |
| Error | Error during the sign-in process. Contact your administrator | The userinfo endpoint does not contain the required sub parameter to get the user information |
| Information | Not implemented functionality | When the user enters a different authorization protocol in the OneTimeStartupSettings.config, only PKCE is currently supported |
| Warning | User has canceled the sign-in. Try again | The user has canceled the sign in process, for example closed the IDP credentials page |
| Warning | User has not consented the usage of its information | The user has not consented to the usage of information by M&I, in the consent screen, the user clicked on not consent |