Single Sign-On

Version 21.0.7884


Single Sign-On


Arc supports Single Sign-On (SSO) via the OpenID standard. Identity providers that implement OpenID, like Azure AD, can be used as an SSO platform for Arc.

Overview

Enabling Single-Sign On requires configuring a group of settings in the Settings page of the application, under the Single Sign-On tab. Each of these settings is explained in the next section.

Once the SSO settings are configured, users created within Arc should be given a Federation ID. This Federation ID value ties together an Arc username with an identity provider entity. When the Arc user attempts to login to the application, it will be redirected to the SSO platform where the credentials for the appropriate identity must be entered.

Once SSO has been configured and Arc users have a Federation ID value to associate them with an identity provider, any further advanced configuration for SSO user management should be performed in the SSO platform itself.

Note: Arc currently only supports individual users, not groups of users. If a SSO platform provides access for a group of users, each invidual user within that group must be added as a user in Arc’s Settings page in order to login. Each user should reference the Federation ID from the identity provider (as described below).

SSO Settings

This section details each of the SSO settings and what they represent within Arc. The details of these settings may depend on the identity provider used, and a guide for Azure AD specifically is provided in the next section.

SSO URIs

Audience URIs

This value identifies the intended recipient of SSO login tokens; in other words, it ensures that tokens generated by the SSO platform were intended for use by Arc. Set this value to the URI that identifies Arc as a trusted application within the SSO platform (e.g. the ‘Application ID’ that the SSO platform has generated for Arc).

This value can be set to a comma-separated list to accomodate multiple relevant URIs.

Authorization URL

The value is the URL where the user should perform authorization via the identity provider. When an SSO user attempt to login to Arc, Arc will redirect the user to this URL where the user can enter the credentials for the SSO platform.

This value should typically be set to the OAuth authorization endpoint for whichever identity provider you are using.

Token URL

This value is the URL where a secure authentication token can be obtained from the identity provider. This after a user authenticates via the Authorization URL, the identity provider redirects to this URL to generate a token from the credentials entered by the user.

Logoff URL

This value determines where the Arc user should be redirected after logging out of the application.

Redirect URIs

Redirect URIs are configured in the identity provider (not Arc itself), to indicate where users should be returned once they perform the authentication against the identity provider.

The appropriate redirect URI for Arc has the following structure:

[base_arc_url]/src/ssoCallback.rst

For example, if Arc was being hosted on mydomain.com on port 8001, the following redirect URI should be used: https://mydomain.com:8001/src/ssoCallback.rst

SSO Issuer Settings

Issuer Certificate

This value is the public portion of the certificate that the identity provider uses to sign JWT tokens. This helps ensure that only tokens generated by the expected identity provider are accepted.

Token Issuer Identifier

This value is the identifier used by the identity provider when generating JWT tokens. Arc will validate tokens to ensure that they include this identifier. This helps ensure that only tokens generated by the expected identity provider are accepted.

Federation ID Settings

Key Claim

This setting specifies what value from the identity provider should be treated as the Federation ID. In other words, this specifies the claim to use as the Federation ID when mapping users from the identity provider to Arc usernames.

When an Arc user logs in via an identity provider, Arc will compare the Federation ID for that local user against the identity claim from the provider; the Key Claim determines what value from the identity provider Arc should use for this comparison.

OAuth Settings

OAuth Client ID

This value is the Client ID associated with the OAuth Application created in the identity provider.

OAuth Client Secret

This value is the Client Secret associated with the OAuth Application created in the identity provider.

Default Scopes

This value is a space-separated list of scopes (i.e. sets of permissions) to request from the identity provider. Typically the scope(s) should at least include openid to request identity-verification.

Other Settings

Token Signature Algorithm

This setting determines what signature algorithms will be accepted from signed JWT tokens. Unsigned tokens will never be accepted.

Azure AD Configuration

This section explains the likely values for each of the above settings when Azure AD is used as the identity provider.

  • Audience URIs - Only one URI is required, which is the Application ID (client ID) that Azure AD has assigned for Arc.
  • Authorization URLs - This URL can be found as the “OAuth 2.0 authorization endpoint (v2)” in the Endpoints list within Azure.
  • Default Scopes - Only the scope “openid” is required, further scopes can be added if necessary.
  • Issuer Certificate - The public certificate can be found using the Azure AD Metadata Document which is described in the next subsection.
  • Key Claim - This value should be “oid” for the Object ID, except in rare circumstances.
  • OAuth Client ID - This value is assigned by Azure AD after creating an OAuth Application within the platform.
  • OAuth Client Secret - This value is assigned by Azure AD after creating an OAuth Application within the platform.
  • Token Issuer Identifier - This value can be found using the Azure AD Metadata Document which is described in the next subsection.
  • Token Signature Algorithm - The default value ‘RS256’ should be used.
  • Token URL - This value can be found using the Azure AD Metadata Document which is described in the next subsection.
  • Logoff URL - This value can be set to any URL where users should be directed after logging off.

Metadata Document

The Azure AD portal includes a Metadata Document that lists important values to use when configuring SSO. From within the portal, you can find this document under Endpoints -> OpenID Metadata Document.

Browse this document for the fields listed above to ensure that your Azure AD configuration includes the appropriate values for your setup.

Redirect URIs

Azure AD must be configured with a Redirect URI to ensure login tokens are redirected back to Arc once users have authenticated. The appropriate redirect URI for Arc has the following structure:

[base_arc_url]/src/ssoCallback.rst

For example, if Arc was being hosted on mydomain.com on port 8001, the following redirect URI should be used: https://mydomain.com:8001/src/ssoCallback.rst