Manage OAuth Authentication

Configuration of MetaKarta to support an external SSO environment requires working with your System Administrator. In this mode, the system default login page is disabled and not presented. It must be replaced by an external authentication login system.

Administrators can always login even in External Authentication Mode using the dedicated administrator rescue login URL: http://localhost:<port>/MM/Auth?nativeLogin, where <port> is the http port that MetaKarta responds to.

The OAuth specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, including providing mechanisms for user authentication.

MetaKarta supports the OAuth 2.0 protocol for external authentication.

 

Upon external authentication (OAuth), a valid user is created in the system (if not already there) based upon those credentials from the external authentication authority and will then be in MANAGE > Users.  Thus, there is no need to import users in these external authentication scenarios.

Set OAuth Authentication

Steps

1.  Sign in as a user with at least the Security Administrator capability global role assignment.

2.  Go to MANAGE > Users in the banner.

3.  Select OAuth from the Authentication pull-down.

Example

Sign in as Administrator.

Go to Tools > Administration > Users.

Select OAuth from the Authentication pull-down.

Configure OAuth Authentication

Steps

1.  Sign in as a user with at least the Security Administrator capability global role assignment.

2.  Go to MANAGE > Users in the banner.

3.  Select OAuth from the Authentication pull-down.

4.  Click Configure Authentication.

Example

Sign in as an Administrator.

Go to MANAGE > Users in the banner.

Select OAuth from the Authentication pull-down.

 

 

Click Configure Authentication.

Configure the OAuth Server

In order to enable an external authentication server using the OAuth 2.0 protocol, the Administrator needs to configure the OAUTH server. The following example shows the Configure OAUTH Server editor parameters using the Google server.

Steps

1.  Sign in as a user with at least the Application Administrator capability global role assignment.

2.  Go to MANAGE > Users in the banner.

3.  Click Configure Authentication.

4.  Go to the Connection tab.

Example

 

 

The user needs to obtain OAuth 2.0 client credentials, such as Client Id, Client Secret from the external authentication server, such as Google and Facebook.

Besides the Client Id and Client Secret, the OAUTH Server configuration also requires the external authentication server Authentication URI, token URI and a few other parameters:

Authentication URI: a URI on the external authentication server that handles the user authentication. The result is an authorization code, which the application can exchange for an access token and a refresh token.

Token URI: a URI on the external authentication server that exchanges the authentication code for an access token.

Validation URI: a URI on the external authentication server that validates the access token and provides access to the user’s account

Scope: One or more scope values indicating which parts of the user’s account an access token permits.

Go to the Attribute Mappings tab to define user attribute mappings.

Go to the Group Assignment tab to auto-assign groups based upon the OAuth security model.

Add an External Authentication User

External authentication users are automatically created/updated by successful external authentication login. They are assigned groups according to the rules provided by the authentication system, or the guest group by default.

One may specify additional group assignments manually (see Assign a group to a user).

Request Headers

The Request Headers tab specifies extra parameters to be added in the HTTP requests to the external authentication server by MetaKarta.

Steps

1.  Sign in as a user with at least the Application Administrator capability global role assignment

2.  Go to MANAGE > Users in the banner.

3.  Click Configure Authentication.

4.  Go to the Request Headers tab.

5.  Click the Add action icon.

OAuth authentication workflow

1.  A Client submits an authentication request via the User Interface of a Resource Server

2.  The Resource Server presents the Client with an Authorization Grant, and redirects the Client to the Authorization Server

3.  The Client requests an Access Token from the Authorization Server using the Authorization Grant Code

4.  The Client logs in to the Authorization Server, and if the code is valid, the Client gets an Access Token that can be used to request a protected resource from the Resource Server

5.  After receiving a request for a protected resource with an accompanying Access Token, the Resource Server verifies the validity of the token directly with the Authorization Server

6.  If the token was valid, the Authorization Server sends information about the Client to the Resource Server

Signing in with Google

In this case the MetaKarta application server is the Resource Server, the Google Authorization Server is the Authorization Server, and the end user is the Client. The OAuth server configuration parameters should look like those in the screenshots in the Configure the OAuth Server section.

Once you have specified OAuth External Authentication Mode

1.  MetaKarta presents the end user with an Authorization Grant, and redirects the end user to the Google Authorization Server’s Authentication URI https://accounts.google.com/o/oauth2/auth. The scope values “email profile” indicates that we are not requesting access to the user’s Google data, just wanting to know the user’s email address and basic profile information.

2.  The end user requests an Access Token from the Google Authorization Server’s Token URI https://accounts.google.com/o/oauth2/token,  using the Authorization Grant Code.

3.  The end user logs in to the Google Authorization Server, and if the code is valid, the end user gets an Access Token that can be used to request a protected resource from MetaKarta.

4.  After receiving a request for a protected resource with an accompanying Access Token, MetaKarta verifies the validity of the token and gets the user’s name and other profile info directly with the Google Authorization Server by sending a validation request to the Google Authorization Server’s Validation/User Info URI  https://www.googleapis.com/oauth2/v3/userinfo using the Access token.

5.  If the access token is valid, the Google Authorization Server sends information about the end user based on the scope values to MetaKarta. Below is an example of the data in JSON.

{  "sub": "110248495921238986420", 

  "name": "Aaron Parecki",

  "given_name": "Aaron", 

  "family_name": "Parecki",

  "picture": "https://lh4.googleusercontent.com/-kw-iMgD_j34/AAAAAAAAAAI/AAAAAAAAAAc/P1YY91tzesU/photo.jpg", 

  "email": "aaron.parecki@okta.com",

  "email_verified": true, 

  "locale": "en", 

  "hd": "okta.com"

}

Using the given User Attribute Mapping, Google's name attribute is mapped to this products login and full name attributes, Google's sub attribute is mapped to  distinguished name attribute in MetaKarta, Google's email attribute is mapped to email attribute in MetaKarta.

6.  MetaKarta logs the end user into the system and grants the protected resource to the user based on the end user’s roles.

Signing in with Microsoft Azure Active Directory Web API

In this case the server at MetaKarta is the Resource Server, the Azure Active Directory (Azure AD) Web API is the Authorization Server, and the end user is the Client. The OAuth server configuration parameters look like the following:

 

 

 

The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are tenant identifiers, for example, 8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.com or common for tenant-independent tokens. The OAuth authentication workflow with Azure AD Web API is similar to the workflow with the Google Authorization Server.