Configuring OpenID Connect Client Access

Configure the application to use your authentication provider. SystemLink Enterprise uses the OpenID Connect protocol to authenticate users from an external authentication provider.

Before you begin, register SystemLink Enterprise as a client with your authentication provider. Refer to the documentation for your authentication provider for the specific registration process. Use the UI hostname of the application for the registration.
After registration, you should have a client id and a client secret value for your application. You might also have a JSON web key set (JWKS) depending on your provider. You need these plus the URL of your authentication provider to configure SystemLink Enterprise.
  1. Open systemlink-values.yaml.
  2. Set webserver.oidc.issuer to the URL of your authentication provider. Use the following URL to configure the login redirect for your provider. [protocol]://[ui-hostname]/oidc/callback
  3. Set the following parameters to the values you received during registration.
    • webserver.secrets.oidc.clientId
    • webserver.secrets.oidc.clientSecret
    • webserver.secrets.oidc.jwks
    Note If you are not using Helm to manage secrets, you must configure the OpenID Connect secret manually.
  4. Optional: Configure the webserver.oidc.scope value to select the OpenID Connect scopes that SystemLink Enterprise will request. By default, SystemLink Enterprise requests the openid, email, and profile scopes. The openid scope is required. The profile and email scopes are used to populate user details in the UI. Other scopes might be useful when assigning user roles in the application. Consult the documentation for your authentication provider to see what scopes are available.
    Note Include the offline_access scope to enable users to view logged user claims at https://<systemlink-host>/oidc/user-info. You can use this to ensure that the claim you want to use when setting up an OIDC Claim mapping is available to SystemLink.
  5. Ensure that the authentication provider returns the following minimum claims with each user's identity token.
    • email
    • given_name
    • family_name
  6. Optional: Configure the webserver.oidc.userIDClaim value. This value is the OpenID Connect claim that SystemLink Enterprise uses to identify a user. By default, SystemLink Enterprise uses the email address of the user.
    Note If you change this value once the product is in use, all user permissions will be lost.
  7. Optional: Configure the OpenID Connect claim that SystemLink Enterprise will use as the user name for a given user. By default, this is the name property. This setting only affects how users are displayed in the UI.
  8. Optional: The cluster might require a proxy server to access your OpenID Connect authentication provider. In this case, set webserver.proxy.authority to the hostname and port of the proxy server.
  9. Optional: If the proxy server requires credentials, uncomment webserver.proxy.secretname.
  10. Optional: In systemlink-secrets.yaml, configure webserver.secrets.proxy.username and webserver.secrets.proxy.password or manually deploy these secrets.