Configuring SystemLink to Connect to Your OpenID Connect Provider

Create the configuration files SystemLink uses to connect to your OpenID Connect provider.

  1. Make a note of your issuer URI.
    Note You can find the issuer URI by viewing the issuer property at the OpenID Connect configuration endpoint for your provider. For example, if the URI is https://example.com:9999/v2 you would name your file example.com%3A9999%2Fv2.conf.
  2. Log into the server running SystemLink and navigate to C:\Program Files\National Instruments\Shared\Web Server\conf\openidc.
  3. Create a file named provider-issuer-uri.conf where, provider-issuer-uri is the URL-encoded, fully qualified domain name of your provider that you noted earlier.
  4. Use the following example to populate the .conf file. 
    {
  "scope": "openid email profile",
  "ni-attributes": {
    "displayName": "Log in with PingFederate",
    "iconUri": "/login/assets/pf.png"
  },
  "keys": [
    {
      "p": "...",
      "kty": "RSA",
      "q": "...",
      "d": "...",
      "e": "AQAB",
      "use": "enc",
      "kid": "2020-11-20",
      "qi": "...",
      "dp": "...",
      "dq": "...",
      "n": "..."
    }
  ]
}
    • scope – Contains claims you can map to roles within SystemLink workspaces. You must include the profile and email scopes to populate the first name, last name, and email fields in the SystemLink user preferences. These are derived from the given_name, family_name, and email claims respectively. Consult the documentation for your provider for more information about exposing scopes to clients.
    • ni-attributes – Determines the text and icon you want to show on the SystemLink login page. iconUri is relative to C:\Program Files\National Instruments\Shared\Web Server\htdocs. Your icon must be 16x16 px.
    • keys – Contains the private keys as a JWK Set if the provider uses asymmetric encryption for ID token key management. The corresponding public keys must be registered with the provider.
      • use – Must have a value of enc to indicate the key is used for encryption.
      • kid – Must match the kid property of the corresponding public key on the identity provider.
      You can omit this section if the provider uses symmetric encryption or no encryption for ID token key management.
  5. Save and close the file.
  6. Create a file named provider-issuer-uri.client. NI Web Server uses this file to authenticate with the provider.
  7. Use the following example to populate the .client file. 
    {
  "client_id": "slserver",
  "client_secret": "4vFm89u07xaredactedredactedredactede2tjtsEGQhlLreLVjcyLA0"
}
    You can obtain values for client_id and client_secret from your provider. Depending on the provider, client_id may be user defined.
  8. Save and close the file.
  9. Use the following curl command to create the provider-issuer-uri.provider file that tells SystemLink which endpoints the provider exposes that are used during login.
    curl https://provider-issuer-uri/.well-known/openid-configuration -o provider-issuer-uri.provider

    Where

    • provider-issuer-uri is the URL-encoded, fully qualified domain name of your provider that you noted earlier.
  10. Save the resulting .provider file in C:\Program Files\National Instruments\Shared\Web Server\conf\openidc.
  11. If you have multiple OpenID Connect providers, create a .conf, .client, and .provider file for each provider. The user ID in SystemLink must be unique across providers. This ID uses the format [sub_claim]@issuer. You can see the ID SystemLink associates with a user in the user details in SystemLink Access Control.
  12. If you require a proxy, create a file named 60_openidc_proxy.conf at C:\Program Files\National Instruments\Shared\Web Server\conf\conf.d and use the following example to populate it replacing host and port with the address of the proxy. 
    <IfDefine AUTH_OIDC_ENABLED>
    OIDCOutgoingProxy host:port
</IfDefine>
  13. Restart NI Web Server to apply the changes.