You are here:

OpenID Authentication

OpenID can be used as the authentication provider in Pyramid. OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 (and JWT) to securely sign in a user to an application. It allows users to be authenticated by co-operating sites using a third-party service that allows users to log into multiple unrelated websites without having to have a separate identity and password for each one.

Note: This feature is available with Enterprise licensing only.

OpenID Authentication Flow for Users

Each user must login once to the single sign-on with the identity provider. When the user tries to access the service provider, it sends an authorization and authentication request to the identity provider. The identity provider checks the user's credentials and determines whether the user is authorized to access the required service. If so, it sends a token from the service provider, with the authorization and authentication messages.

General OpenID Setup

Whether you have just installed Pyramid or you are migrating from one Authentication Provider to another, you will need to Change Provider. After which, you will need to convert your existing users to the new OpenID provider.

Provider Settings

The following fields are required for most vendors.

OpenID Provider: Select a provider for the OpenID implementation.
Custom Principal Name: This is provided by the vendor.
End Point URL: The official connection to the OpenID vendor's APIs.
Client ID: The Application (client) ID that the OpenID provider allocates to Pyramid when it is registered in their portal ( App registrations experience assigned to your app).
Redirect URL: The redirect URL of your Pyramid implementation - where authentication responses can be sent and received by Pyramid.
Logout URL: The URL that the user is redirected to after successfully signing out of Pyramid.
JSON Web Keys URI: The URL of the destination where the JWT token keys can be validated.

IIS Settings

Additional settings for IIS must be configured if using IIS as the reverse proxy. By default, the web.config file can be found at the below path on all Pyramid web servers running IIS:

"C:\program files\pyramid\repository\iis\web.config"

Change your web.config file to the following. The update must be done on all Pyramid web servers running IIS:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
        <system.webServer>
                <security>
                        <requestFiltering>
                                <requestLimits maxAllowedContentLength="2147483648" />
                        </requestFiltering>
                </security>
                <rewrite>
                        <rules>
                                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                                        <match url="(.*)" />
                                        <action type="Rewrite" url="http://localhost:8181/{R:1}" />
                                </rule>
                        </rules>
                        <outboundRules>
                                <rule name="302" preCondition="302">
                                        <match serverVariable="RESPONSE_Location" pattern="(.*)#redirect=(.*)" />
                                        <action type="Rewrite" value="{R:2}" />
                                </rule>
                                <preConditions>
                                        <preCondition name="302">
                                                <add input="{RESPONSE_STATUS}" pattern="3[0-9][0-9]" />
                                        </preCondition>
                                </preConditions>
                        </outboundRules>
                </rewrite>
                <defaultDocument>
                        <files>
                                <clear />
                                <add value="readme.html" />
                        </files>
                </defaultDocument>
        </system.webServer>
</configuration>

Provider Provisioning Settings

You can provide Provider Provisioning Settings for certain SAML and OpenID set ups. These details are used by Pyramid to query the Authentication Provider and are required to enable add user through search and group roles in provisioning.

On the Provider Provisioning Settings tab:

Select the Search Settings checkbox.
Specify the following details from the Vendor:

Initial User

This is the initial master user (from the OpenID framework) that will be matched in Pyramid.

User Name: the internal user name of the initial user. This is a bypass for the user when working outside of OpenID.
First Name: the first name of the initial user
Last Name: the last name of the initial user
Email: the email of the initial user
Principal Name: the OpenID of the initial user (typically in the format someone@domain.com). This is the critical element that will enable Pyramid to match the incoming token with the user account.

Once OpenID authentication is configured, access to Pyramid can be completed through a OpenID JWT exchange with the designated provider.

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work