OpenID Single Sign On
OpenID Single Sign On provider configuration
Quinyx supports the OpenID Connect specification (Currently version 1.0).
The provider now also supports Mobile SSO login.
Prerequisites to complete a configuration:
- IDP (Identity provider) set up supporting the OpenID framework.
- Identification tokens for Quinyx to use for identification towards IDP service.
To create a new configuration or to edit an existing one, go to Authentication settings > OpenID providers.
Click Add to create a new configuration.
Configure the basic details for OpenID Connect
- Name: The name of the provider in Quinyx.
- Global Login alias: Quinyx SSO providers (OpenID and SAML) can now be set up to make the provider name a Global login alias. Global means it is checked for uniqueness in Quinyx's different regions (EU and US). A user (employee or manager) can use the alias in the Mobile app login dialogue to be directed to the correct SSO provider directly. The login flow for web will be updated at a later point.
- Attribute name: The attribute used as username in the OpenID setup.
- Scopes: Sets of information to be made available as Claim Values from the IDP. OpenID is the minimum. Profile is common to use. To add a scope, type in the name of what you want to add in the scopes field.
- Identification type: What data type can Quinyx match with the data from the IDP.
- Use PKCE: To enhance security this feature can be used but that must be supported by the customer's IDP to work. PKCE is a concept of OAuth 2.0. Tick the Use PKCE checkbox to activate.
- Logout URI: URI for logging out the client in Quinyx, but also in the customer's identity provider.
- Client ID: ID the customer must provide so Quinyx can identify itself towards the IDP.
- Client secret: The secret should also be provided by the customer for identification purposes together with the Client ID10.
- Preset URL: Enter the base URL of the Customer's IDP and Quinyx will fetch preset information that will be populated in the Advanced preset values.
- Click Continue.
- The form will be populated with the preset data from the Preset URL.
- Copy the Return URI and provide it to the Customer.
If you would like to manually update anything in the Advanced section click on the padlock.
Configuration of Global Login alias
When adding or updating an SSO Provider you can now select that the Name of the provider will be a Global login alias. This means that the Name of the provider will be globally unique and can be used when logging in from the mobile app. (Support for logging in from the web portal will be delivered later).
1. Check the box for Global Login Alias.
2. Configure the rest of the provider.
3. Save the configuration.
4. The name of the provider will be validated for global uniqueness (Both EU and US environments).
5 If the name is unique and approved the provider config is saved.
6. After saving the configuration, users will be able to use Global Login Alias in the mobile app by entering the name of the provider on the login page (field Username) and tapping on Continue. They will then be automatically redirected to their own login provider page. The provider name that has to be entered is not case-sensitive. If the user gets a screen for entering their regular password (and not redirected to login provider page), that means the user has entered the provider name incorrectly, or the Global Login alias checkbox is not ticked (step 1).
Azure OpenID-connect setup
Initial setup in Azure AD
- Log in, go to the Azure Active Directory tab.
- Click app registrations, click New registration, and name your app registration.
- When viewing the app registration, go to certificates and secrets, click new client secret and copy the value. You will not be able to get the value of the secret if you do not copy it to a secure location in this step.
- Go to the Authentication tab in the app-register, click Add a platform.
- Choose web.
- Set the redirectURI to https://web-test.quinyx.com/extapi/v1/openidsso/login/oauth2/code/tenantname (for now)
- Check the "id_token" checkbox.
- Click Configure.
- Click Overview on the app-register and copy the Directory (tenant) id to build your openid-documentation URL.
- Your openId documentation can be found at:
- Replace your own tenandt-id, this information is public and
- Copy your "Application (client) id" for later use as clientId in Quinyx setup.
- Go to Accouting settings > Authentication > OpenID.
- Add a provider.
- Set the value of your client secret as client secret.
- Set your application (client) id as clientId.
- Set https://login.microsoftonline.com/2d29d7ba-8fba-4204-a107-d9a159392c70/v2.0/.well-known/openid-configuration as the "Preset URL"
- For scopes, set at least OpenID and Profile.
- Click Continue.
- This will open the advanced options, and in Client authentication method, choose "post".
- Copy the redirect-uri for later use.
- Optional: To enforce reauthentication on every call to IDP add "?prompt=login" to the authorization-uri
- Click Save.
Final step in Azure
- Go to the authentication tab of your app-registration, add the copied redirect-uri, and delete the previous one.
- Click Done.
- Note: By default Azure-Ad will enforce two-factor authentication for development purposes with for example made-up users. This might need to be disabled during testing.
- This should only be done during testing and after consulting with the tenant.
- To do this go to Azure Ad and click Overview.
- Click Properties.
- Click Manage security defaults.
- Chose Disabled (Not recommended) and save.