Learn about how to configure the Security Assertion Markup Language (SAML) and Open ID Connect (OIDC) using GraphQL.
Added in 23.12.
🚧Contact support to enable a multi-authentication mechanism for your Aurora Community if the multi-authentication mechanism is part of your contract. If you want to purchase a multi-authentication mechanism, contact your Customer Success Manager (CSM).
📘Only Administrators can configure the multi-authentication mechanisms.
You will learn how to configure the multi-authentication mechanisms for the Aurora Community.
You can perform the following actions for your community:
- Configure the SAML settings
- Configure the OIDC settings
- Set the Single Sign-On (SSO) settings
- Configure the Multi-authentication options
- Retrieve the Configured Provider details
- Retrieve the SAML settings
- Retrieve the OIDC settings
Configure the SAML settings
You can configure the SAML settings for your community using the setSamlSettings mutation and its associated query variables.
mutation settings($settingsInput: SamlSettingsInput!) {
setSamlSettings(settingsInput: $settingsInput) {
result
errors {
__typename
... on Error {
fields
message
}
}
}
}
The query variables define the metadata for setting the SAML to your provider. The query variables for the setSamlSettings mutation are given below:
{
"settingsInput": {
"idpMetadata": "<?xml version=\"1.0\"?>\r\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://[PROVIDER URL]/saml/metadata/ab99bb84-d0c7-47e4-9dbc-5451a4eb971b\">\r\n <IDPSSODescriptor xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n <KeyDescriptor use=\"signing\">\r\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n <ds:X509Data>\r\n <ds:X509Certificate>AAABBBBBBCCCCCDDDDEEE\nFFFFFFGGGGGGGGGGGGHHHHHHHHHHHHHHHH\nJJJJJJJJJJJKKKKKKLLL\nMMMMMMMMMMMMNNNNNNNNNN\nPPPPPPPPPPPPQQQQQQQQQRRRRRR\nQQQQQQQQQQQSSSSSSSSS\nTTTTT11111111\n2222222233333333\n4444444444444444444\n55555555555555555\n666666666666666\n777777777777777777\n88888888888888\n999999999999\n00000000000000000\nAAAABBBBCCCC\nDDDDDDDDDDDD\nEEEEEEEEEEEEEE\nFFFFFFFFFFFFFFFF\nGGGGGGHHHHH\nIIIIJJJJJJKKKK</ds:X509Certificate>\r\n </ds:X509Data>\r\n </ds:KeyInfo>\r\n </KeyDescriptor>\r\n <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/http-redirect/slo/1111222333\"/>\r\n \r\n <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\r\n \r\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/http-redirect/sso/ABBBCCC4-123R-77UUE-1ABC-5555TTTTYYYb\"/>\r\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/http-post/sso/AAABBCC-D1E7-11BB22-HHAAB-AABBCCDDEEFF1122\"/>\r\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/soap/sso/AABBCCDDEEFF-1122-334A-1ABCD-111222233334444\"/>\r\n </IDPSSODescriptor>\r\n</EntityDescriptor>"
}
}
Here is the response to the above GraphQL query.
{
"data": {
"setSamlSettings": {
"result": true,
"errors": null
}
}
}
📘 NoteFind out more about Aurora's SAML solution in our Atlas guide: About Aurora Security Assertion Markup Language (SAML) Single Sign-On (SSO)
Configure the OIDC settings
OpenID Connect (OIDC) is an Oauth2-based SSO implementation supported in Aurora. We have a detailed introduction available on Atlas: About Aurora OIDC/OAuth2.0 SSO.
You can configure the OIDC settings using the createOrUpdateOpenIdConnectSelfServiceIdp mutation.
mutation createOrUpdateOpenIdConnectSelfServiceIdp(
$input: OpenIdConnectSelfServiceIdpInput!
) {
createOrUpdateOpenIdConnectSelfServiceIdp(idpInput: $input) {
errors {
__typename
... on Error {
fields
message
}
}
result {
provider {
providerId
}
}
}
}
The query variables for the mutation define various parameters such as provider details, authorization details, token details, user information, and logout settings.
{
"input": {
"provider": {
"providerName": "[PROVIDER NAME]",
"providerId": "[PROVIDER ID]",
"clientId": "12345ABCD-1122-111A-11B1-33AA4BC33AA0BC112233",
"clientSecret": "11AA22BB33CC44DD55EE66FF77HH88KK99MM"
},
"advanced": {
"redirectURIOverride": ""
},
"authorization": {
"url": "https://[PROVIDER URL]/oidc/2/auth",
"responseType": "code",
"scope": "openid profile email params",
"persistParams": false,
"staticParams": null
},
"token": {
"url": "https://[PROVIDER URL]/oidc/2/token",
"clientAuthMethod": "CLIENT_SECRET_BASIC",
"claimMapping": {},
"JWTSettings": {
"disableValidation": false,
"audOverride": "",
"issuer": "https://[PROVIDER URL]/oidc/2",
"JWKSUri": "https://[PROVIDER URL]/oidc/2/certs"
}
},
"userInfo": {
"url": "https://[PROVIDER URL]/oidc/2/me",
"usePostRequest": false,
"claimMapping": {
"ssoId": "sub",
"email": "email",
"firstName": "given_name",
"lastName": "family_name",
"biography": "updated_at",
"login": "preferred_username",
"rolesToAdd": "params.roleToLink",
"rolesToRemove": "params.roleToUnLink",
"notes": "family_name"
}
},
"logoutSettings": {
"frontendLogout": {
"url": "https://[PROVIDER URL]/oidc/2/logout"
},
"RPInitiated": {
"tokenMethod": "NONE",
"authMethod": "NONE",
"paramName": "",
"paramsPassthrough": false
},
"OPInitiated": {
"enabled": false,
"allowIframe": false,
"url": "",
"iframeRedirectUrl": ""
}
}
}
}
Here is the response to the above mutation and query variables.
{
"data": {
"createOrUpdateOpenIdConnectSelfServiceIdp": {
"errors": null,
"result": {
"provider": {
"providerId": "[PROVIDER URL]"
}
}
}
}
}
Set the SSO settings
You can set the following SSO settings for the Khoros SSO mechanism using setSsoSettings:
- Sign-up URL
- Sign-on URL
- Sign-off URL
📘 NoteYou can find out more about Aurora's SSO solution in our Atlas guide: About Khoros Aurora Single Sign-On (SSO)
👍 NoteEnsure that you have the JWT SSO Authentication configured for your community.
You can use the setSsoSettings mutation to set the URLs for both mechanisms.
mutation setSsoSettingsMutation($settingsInput: SsoSettingsInput!) {
setSsoSettings(settingsInput: $settingsInput) {
result
}
}
The query variables to assign the URL to the SSO settings are given below.
{
"settingsInput": {
"ssoEnabled": true,
"khorosSignUpUrl": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=register",
"khorosSignOnUrl": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=login",
"khorosSignOffUrl": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=logoff",
"jwtSsoSignOnUrl": "http://[YOUR COMMUNITY DOMAIN]/jwtsso?redirect=https://[REDIRECT URL]/t5/s/auth/jwtsso"
}
}
Here is the response to the above mutation and query variables.
{
"data": {
"setSsoSettings": {
"result": true
}
}
}
Configure the Multi-authentication Options
Admins can offer multiple sign-in options simultaneously, providing enhanced flexibility and facilitating a difference in authentication between internal employees, customers, etc. We have a detailed introduction to Aurora's multi-authentication solutions in our Atlas guide:
ATLAS
Comments