Configuring YSoft SafeQ Client v3 and YSoft SafeQ Job Service with external OIDC provider
About
YSoft SafeQ Job Service provides an integrated OIDC provider which is used by default for authentication by the YSoft SafeQ Client v3 in client modes. This provides an OIDC flow with the users that are managed in the YSoft SafeQ Management interface. You can however choose a different identity provider instead of the one built into YSoft SafeQ Job Service.
Setting up the OIDC integration
To enable the integration, you must:
Configure the OIDC client in your external identity provider
Configure the Job Service to validate credentials with external identity provider
Configure the Client v3 in Server mode to validate credentials with external identity provider
Configure the OIDC client in your external identity provider
The configuration interface varies in every identity provider but the following properties must be set for the client to work.
Configuration | Value |
Client ID | ysoft-safeq-client |
Redirect URIs | http://localhost:3050/callback
|
web origins | * (or allow all) |
Flow | Authorization Code Flow with PKCE |
Refresh tokens | enabled |
Scopes |
|
Claims | username - this must be the username that is used by YSoft SafeQ. This claim is not standard and must be added to the token by the identity provider. |
Audience | ysoft-safeq |
Configure the Job Service to validate credentials with external identity provider
Job Service needs to be configured via the local.json configuration file. The following configuration block needs to be added.
"AuthorityOptions"
: {
"Authority"
:
"https://sso.company.net/auth/realms/realmName"
,
"Audience"
:
"ysoft-safeq"
}
Authority is the address of your identity provider.
For Keycloak, use this pattern: https://<keycloak-url>/auth/realms/<realm-name>
Audience must have the value configured as audience when creating the client in your identity provider.
After adding the configuration restart of the component is required.
Configure the Client v3 in Server mode to validate credentials with external identity provider
Same as Job Service the Client v3 needs additional configuration via its local.json configuration file. The following configuration block needs to be added.
"AuthorityOptions"
: {
"Authority"
:
"https://sso.company.net/auth/realms/realmName"
,
"Audience"
:
"ysoft-safeq"
}
Authority is the address of your identity provider.
For Keycloak, use this pattern: https://<keycloak-url>/auth/realms/<realm-name>
Audience must have the value configured as audience when creating the client in your identity provider.
After adding the configuration restart of the component is required.