OpenID can be used as the authentication provider in Pyramid. It is supported by Microsoft, Google and many other vendors. OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 (and JWT) to securely sign in a user to an application. It allows users to be authenticated by co-operating sites using a third-party service allowing users to log into multiple unrelated websites without having to have a separate identity and password for each one.
Note: This feature is available with Enterprise licensing only.
OpenID Flow
Each user must login once to the single sign-on with the identity provider. When the user tries to access the service provider, it sends an authorization and authentication request to the identity provider. The identity provider checks the user's credentials and determines whether the user is authorized to access the required service. If so, it sends a token from the service provider, with the authorization and authentication messages.
OpenID Setup
Start by selecting OpenID as the authentication provider in the Admin console, and then define the settings and the principal name for the initial user. Then, you need to first register your Pyramid implementation with the OpenID provider, to generate all the keys, tokens and access points for the authentication to operate.
Using these values to setup OpenID provide the following details:
- OpenID Provider: Select a provider for the OpenID implementation. Choosing Microsoft or Google will have specific settings setup for their implementations, as opposed to the generic settings for 'custom'.
- Custom Principal Name: This is provided by the vendor. For Google and Microsoft, this value is hard coded already.
- End Point URL: The official connection to the OpenID vendor's APIs.
- For Microsoft this typically looks like "https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize"
- For Google this typically looks like "https://accounts.google.com/o/oauth2/v2/auth"
- Client ID: The Application (client) ID that the OpenID provider allocates to Pyramid when it is registered in their portal ( App registrations experience assigned to your app).
- Redirect URL: The redirect URL of your Pyramid implementation - where authentication responses can be sent and received by Pyramid. It must exactly match one of the redirect URLs you registered in the OpenID provider's portal. Note that /login/openid_callback is automatically appended to the Redirect URL.
- Logout URL: The URL that the user is redirected to after successfully signing out of Pyramid.
- JSON Web Keys URI: The URL of the destination where the JWT token keys can be validated.
- For Google this is typically something like "https://www.googleapis.com/oauth2/v3/certs"
- For Microsoft this is typically something like "https://login.microsoftonline.com/common/discovery/keys"
An additional setting in IIS must be configured. By default, the web.config file can be found at the below path on all Pyramid web servers running IIS:
"C:\program files\pyramid\repository\iis\web.config"
Change your web.config file to the following. The update must be done on all Pyramid web servers running IIS:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webserver>
<security>
<requestfiltering>
<requestlimits maxallowedcontentlength="2147483648"></requestlimits>
</requestfiltering>
</security>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopprocessing="true">
<match url="(.*)"></match>
<action type="Rewrite" url="http://localhost:8181/{R:1}"></action>
</rule>
</rules>
<outboundrules>
<rule name="302" precondition="302">
<match servervariable="RESPONSE_Location" pattern="(.*)#redirect=(.*)"></match>
<action type="Rewrite" value="{R:2}"></action>
</rule>
<preconditions>
<precondition name="302">
<add input="{RESPONSE_STATUS}" pattern="3[0-9][0-9]"></add>
</precondition>
</preconditions>
</outboundrules>
</rewrite>
<defaultdocument>
<files>
<clear></clear>
<add value="readme.html"></add>
</files>
</defaultdocument>
</system.webserver>
</configuration>
Initial User
This is the initial master user (from the OpenID framework) that will be matched in Pyramid.
- User Name: the internal user name of the initial user. This is a bypass for the user when working outside of OpenID.
- First Name: the first name of the initial user
- Last Name: the last name of the initial user
- Email: the email of the initial user
- Principal Name: the OpenID of the initial user (typically in the format someone@domain.com). This is the critical element that will enable Pyramid to match the incoming token with the user account.
Once OpenID authentication is configured, access to Pyramid can be completed through a OpenID JWT exchange with the designated provider.