Global Settings (Web Login)

[For more info on Web Login, click HERE.]

To Edit the Global Settings (Web Login) Properties:

Expand your project in the Workbench's Project Explorer, then expand the Security provider node, and then the Web Login sub-node.
Double-click on the Global Settings node, or right-click on the Global Settings node and select Edit from the menu, or select the Global Settings mode then click on the Edit button in the Edit section of the Home ribbon in the Workbench.
This opens the Global Settings properties, shown below.

Global Settings (Web Login) Properties

General Settings

These settings set up both Security as an OIDC IdP, as well as configure the external OIDC or SAML login.

Enabled -Enables the OIDC IdP. When disabled, the HTTP endpoints of OIDC/OAuth remain functional, although they will not allow any authentication/authorization. Click the checkbox to enable the selected OIDC Provider.
In-house applications use web login -This instructs the GENESIS64 applications to use Web Login, instead of the regular Login dialog. This option only make sense when also using some sort of external IdP. If not, using the regular Login dialog is the preferred way to authenticate.
Web applications use web login -This instructs the web applications to use Web Login, instead of the regular Login dialog. This option only make sense when also using some sort of external IdP. If not, using the regular Login dialog is the preferred way to authenticate.

Note: Web Login in those applications also comes with limitations.

The Allow simultaneous login must be disabled on the General tab of Global Settings.
When logging into GENESIS64 using Integrated Windows Authentication to automatically log in users, it is advisable to also allow to log off the automatic user. This is an option on the Global Settings. If this option is left disabled, Web Login will not be able to log anybody in through the Web if there is already somebody logged in automatically.
The 'Password required to log out' Policy is ignored for users that logged in through the Web Login.
The Critical Points and Critical Alarms will not work. These points and alarms will always be inaccessible for users logged in through the Web Login.

OIDC Provider / OAuth Authorization Server Settings

This section sets up the OIDC Provider (called ‘Authorization Server’ in OAuth terminology) that is built into Security.

Issuer URL -The base URL of the OIDC/OAuth endpoints. This field cannot be changed directly, it serves just to inform about the URL. To change the base address where Security listens on, see the separate section ‘Changing the URL that Security Listens On and Enabling HTTPS’.
Signing credentials type -What certificate to use to cryptographically sign the OIDC/OAuth tokens. Use the pulldown menu to select either 'Auto-generated temporary key' or 'From the windows certificate store'. Your selection will determine whether you can make further edits to the General Settings properties.

Auto-generated temporary key – This option should only be used for testing. Security will generate a new random key every time it starts, so all clients that already authenticated will lose the authentication and will need to re-authenticate again.
From the windows certificate store – Selects a key saved in the certificate store. For OIDC/OAuth, the certificate does not need to be signed by a trusted authority.

Select certificate by/Certificate identifier - Serves to select a certificate from the certificate store. If you selected 'From the windows certificate store' as your selected Signing credentials type, you can use the now activated pulldown menu to select from 'Local machine/find by Subject Distinguished Name', 'Local machine/find by Thumbprint', 'Current user/find by Subject Distinguished Name'. or 'Current user/find by Thumbprint'. You can enter a Certificate identifier in the text entry field or click on the button, which opens the Windows Security window specific to what you selected for 'Select certificate by', as shown below.

Windows Security Window Customized to Selection of 'Local machine/find by Subject Distinguished Name'

Allowed CORS origins -An optional new line separated list of JavaScript client origins that are allowed to use the OIDC/OAuth feature for logging in. This is only required for JavaScript SPAs (Single page applications) and only if they are hosted on a different domain than the FrameWorX Server. Currently, in GENESIS64 V10.96 applications, ICONICS does not have any such in-house applications, so this only appies to custom-developed SPAs. Note: CORS origins are case-sensitive.
In-house application Relying Party Redirect URIs -These are the OIDC Redirect URLs used by GENESIS64 applications (GraphWorX64, AnyGlass, UWP). Normally, there should be no need to change these. The {host} placeholder gets replaced by the server name. See the section ‘Changing the URL that Security Listens On and Enabling HTTPS’ on what name that will be.

Authentication

These settings switch between built-in authentication and using an external OIDC or SAML Identity Providers.

Type -Use the pulldown menu to select from Built-in or OpenID Connect.

Built-in

With this option, Security will not redirect to an external OIDC or SAML web page, but instead will present its own login page that authenticates against either Active Directory or against the list of users specified directly in Security. There is just one setting for this option.

Allow the 'Remember me' option in the web login form -This enables or disables a “Remember me” check box on the web login form. When enabled and the user checks the check box, the authentication cookie will be persisted in the user’s web browser, so the next time the browser is opened and the OIDC/OAuth login feature is used, the user will already be signed in. Without this check box checked, the cookie will remain in the user’s web browser only until the browser session ends.

OpenID Connect

These settings, together with the OIDC Authentication User Mapping section, set up login through an external OIDC Identity Provider.

Redirect URL -This value is informational only and will be required when setting up the external OIDC Identity Provider. For information about changing the base URL, see the separate section ‘Changing the URL that Security Listens On and Enabling HTTPS’.
Logout redirect URL -This value is informational only and will be required when setting up the external OIDC Identity Provider. For information about changing the base URL, see the separate section ‘Changing the URL that Security Listens On and Enabling HTTPS’.
Issuer URL -The base URL of the endpoints of the external OIDC Provider. Enter the Issuer URL for authentication in the text entry field.
Client ID -The OIDC/OAuth ‘Client identifier’. Enter the client ID associated with the issuer URL/authentication in the text entry field.
Client secret -The client secret, if required. It is stored in the database in obfuscated form and can be reverted to clear text easily. Enter the Client secret used for the external authentication in the text entry field or click on the ellipsis button [...] to open the Shared secret window, where you can type in the secret.
Use PKCE -Determines whether the client must use PKCE (Proof Key for Code Exchange).
Prompt -This is an optional OIDC protocol parameter that instructs the OIDC Identity Provider to re-prompt the user for some information. See this link for more information: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest. Select whether the authentication prompt will be Default, or use Login, Consent or Select account (by clicking the respective check boxes).

OIDC Authentication User Mapping

OIDC scope to request - By default, Security requests only the ‘openid’ scope. It is possible to specify additional scopes here (even multiple, space delimited). The combo box option contains the standard scopes defined by the OIDC standard, but Identity Providers can define their own. Use the pulldown menu to select from profile, email, address, or phone.
Use this OIDC claim - What claim to extract from the OIDC tokens when mapping to existing users. Servers are likely to define their own claims, but a list of standard ones can be found here: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims. Enter an OIDC claim to use for user mapping with the external authentication. This field may be pre-populated but can be edited.
Find existing user by - Use the pulldown menu to select from Display Name, Unique name (Active Directory GUID), Active Directory SID (Security ID), or Active Directory UPN (User Principal Name).

SAML 2.0

These settings, together with the SAML Authentication User Mapping section set up login through an external SAML Identity Provider.

Assertion Consumer Service (ACS) -This field is informational only and will be required when setting up the external SAML Identity Provider. For information about changing the base URL, see the separate section ‘Changing the URL that Security Listens On and Enabling HTTPS’.
SP metadata URL -This field is informational only and will be required when setting up the external SAML Identity Provider. For information about changing the base URL, see the separate section ‘Changing the URL that Security Listens On and Enabling HTTPS’.
SP Entity ID -This is like the OIDC Client Identifier. Enter the ID in the text entry field.
IdP metadata document -Save the metadata XML from the external IdP here. The two links to the left can be used to download the document from a URL or load it from a file. Security currently does not support dynamically loading the metadata from a URL.
Force authentication - This is like the ‘Prompt’ parameter from OIDC.

SAML Authentication User Mapping

Use this SAML claim -What information from the SAML token to use when mapping to an existing user. These rules apply when Security extracts information from the SAML token and assigns them to individual claims:
- The <Subject> → <NameID> element gets mapped to claim ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier’
- Each value of an <Attribute> element gets mapped to a claim named the same as the <Attribute> (using the Name attribute of the <Attribute> element). If there are multiple values in the <Attribute> element, only the first one is used.
Find existing user by -See the separate section ‘’Security with an External OIDC or SAML Identity Provider".
Show list of claims -See the separate section ‘’Security with an External OIDC or SAML Identity Provider".

Azure Active Directory Authentication

This setting is only available when Security is connecting to Azure Active Directory. This uses the OIDC protocol, but instead of requiring to set up all the details, this takes the details from the Azure Active Directory Settings section of the General tab.

This authentication uses the version 2 of Microsoft identity platform, as described here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview.

Specifically, these settings are used:

• The Authorization Code flow is used.

• The issuer URL is formatted as https://login.microsoftonline.com/{tenant}/v2.0.

• The ‘profile’ scope gets requested.

• The ‘oid’ claim from the ID token gets extracted and mapped to the ID property read from Azure Active Directory.