Learn about how to configure the Security Assertion Markup Language (SAML) and Open ID Connect (OIDC) using GraphQL.
Added in 23.12.
🚧Contact support to enable a multi-authentication mechanism for your Aurora Community if the multi-authentication mechanism is part of your contract. If you want to purchase a multi-authentication mechanism, contact your Customer Success Manager (CSM).
📘Only Administrators can configure the multi-authentication mechanisms.
You will learn how to configure the multi-authentication mechanisms for the Aurora Community.
You can perform the following actions for your community:
- Configure the SAML settings
- Configure the OIDC settings
- Set the Single Sign-On (SSO) settings
- Configure the Multi-authentication options
- Retrieve the Configured Provider details
- Retrieve the SAML settings
- Retrieve the OIDC settings
Configure the SAML settings
You can configure the SAML settings for your community using the setSamlSettings mutation and its associated query variables.
mutation settings($settingsInput: SamlSettingsInput!) {
setSamlSettings(settingsInput: $settingsInput) {
result
errors {
__typename
... on Error {
fields
message
}
}
}
}
The query variables define the metadata for setting the SAML to your provider. The query variables for the setSamlSettings mutation are given below:
{
"settingsInput": {
"idpMetadata": "<?xml version=\"1.0\"?>\r\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://[PROVIDER URL]/saml/metadata/ab99bb84-d0c7-47e4-9dbc-5451a4eb971b\">\r\n <IDPSSODescriptor xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n <KeyDescriptor use=\"signing\">\r\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n <ds:X509Data>\r\n <ds:X509Certificate>AAABBBBBBCCCCCDDDDEEE\nFFFFFFGGGGGGGGGGGGHHHHHHHHHHHHHHHH\nJJJJJJJJJJJKKKKKKLLL\nMMMMMMMMMMMMNNNNNNNNNN\nPPPPPPPPPPPPQQQQQQQQQRRRRRR\nQQQQQQQQQQQSSSSSSSSS\nTTTTT11111111\n2222222233333333\n4444444444444444444\n55555555555555555\n666666666666666\n777777777777777777\n88888888888888\n999999999999\n00000000000000000\nAAAABBBBCCCC\nDDDDDDDDDDDD\nEEEEEEEEEEEEEE\nFFFFFFFFFFFFFFFF\nGGGGGGHHHHH\nIIIIJJJJJJKKKK</ds:X509Certificate>\r\n </ds:X509Data>\r\n </ds:KeyInfo>\r\n </KeyDescriptor>\r\n <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/http-redirect/slo/1111222333\"/>\r\n \r\n <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\r\n \r\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/http-redirect/sso/ABBBCCC4-123R-77UUE-1ABC-5555TTTTYYYb\"/>\r\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/http-post/sso/AAABBCC-D1E7-11BB22-HHAAB-AABBCCDDEEFF1122\"/>\r\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://[COMMUNITY DOMAIN]/trust/saml2/soap/sso/AABBCCDDEEFF-1122-334A-1ABCD-111222233334444\"/>\r\n </IDPSSODescriptor>\r\n</EntityDescriptor>"
}
}
Here is the response to the above GraphQL query.
{
"data": {
"setSamlSettings": {
"result": true,
"errors": null
}
}
}
📘 NoteFind out more about Aurora's SAML solution in our Atlas guide: About Aurora Security Assertion Markup Language (SAML) Single Sign-On (SSO)
Configure the OIDC settings
OpenID Connect (OIDC) is an Oauth2-based SSO implementation supported in Aurora. We have a detailed introduction available on Atlas: About Aurora OIDC/OAuth2.0 SSO.
You can configure the OIDC settings using the createOrUpdateOpenIdConnectSelfServiceIdp mutation.
mutation createOrUpdateOpenIdConnectSelfServiceIdp(
$input: OpenIdConnectSelfServiceIdpInput!
) {
createOrUpdateOpenIdConnectSelfServiceIdp(idpInput: $input) {
errors {
__typename
... on Error {
fields
message
}
}
result {
provider {
providerId
}
}
}
}
The query variables for the mutation define various parameters such as provider details, authorization details, token details, user information, and logout settings.
{
"input": {
"provider": {
"providerName": "[PROVIDER NAME]",
"providerId": "[PROVIDER ID]",
"clientId": "12345ABCD-1122-111A-11B1-33AA4BC33AA0BC112233",
"clientSecret": "11AA22BB33CC44DD55EE66FF77HH88KK99MM"
},
"advanced": {
"redirectURIOverride": ""
},
"authorization": {
"url": "https://[PROVIDER URL]/oidc/2/auth",
"responseType": "code",
"scope": "openid profile email params",
"persistParams": false,
"staticParams": null
},
"token": {
"url": "https://[PROVIDER URL]/oidc/2/token",
"clientAuthMethod": "CLIENT_SECRET_BASIC",
"claimMapping": {},
"JWTSettings": {
"disableValidation": false,
"audOverride": "",
"issuer": "https://[PROVIDER URL]/oidc/2",
"JWKSUri": "https://[PROVIDER URL]/oidc/2/certs"
}
},
"userInfo": {
"url": "https://[PROVIDER URL]/oidc/2/me",
"usePostRequest": false,
"claimMapping": {
"ssoId": "sub",
"email": "email",
"firstName": "given_name",
"lastName": "family_name",
"biography": "updated_at",
"login": "preferred_username",
"rolesToAdd": "params.roleToLink",
"rolesToRemove": "params.roleToUnLink",
"notes": "family_name"
}
},
"logoutSettings": {
"frontendLogout": {
"url": "https://[PROVIDER URL]/oidc/2/logout"
},
"RPInitiated": {
"tokenMethod": "NONE",
"authMethod": "NONE",
"paramName": "",
"paramsPassthrough": false
},
"OPInitiated": {
"enabled": false,
"allowIframe": false,
"url": "",
"iframeRedirectUrl": ""
}
}
}
}
Here is the response to the above mutation and query variables.
{
"data": {
"createOrUpdateOpenIdConnectSelfServiceIdp": {
"errors": null,
"result": {
"provider": {
"providerId": "[PROVIDER URL]"
}
}
}
}
}
Set the SSO settings
You can set the following SSO settings for the Khoros SSO mechanism using setSsoSettings:
- Sign-up URL
- Sign-on URL
- Sign-off URL
📘 NoteYou can find out more about Aurora's SSO solution in our Atlas guide: About Khoros Aurora Single Sign-On (SSO)
👍 NoteEnsure that you have the JWT SSO Authentication configured for your community.
You can use the setSsoSettings mutation to set the URLs for both mechanisms.
mutation setSsoSettingsMutation($settingsInput: SsoSettingsInput!) {
setSsoSettings(settingsInput: $settingsInput) {
result
}
}
The query variables to assign the URL to the SSO settings are given below.
{
"settingsInput": {
"ssoEnabled": true,
"khorosSignUpUrl": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=register",
"khorosSignOnUrl": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=login",
"khorosSignOffUrl": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=logoff",
"jwtSsoSignOnUrl": "http://[YOUR COMMUNITY DOMAIN]/jwtsso?redirect=https://[REDIRECT URL]/t5/s/auth/jwtsso"
}
}
Here is the response to the above mutation and query variables.
{
"data": {
"setSsoSettings": {
"result": true
}
}
}
Configure the Multi-authentication Options
Admins can offer multiple sign-in options simultaneously, providing enhanced flexibility and facilitating a difference in authentication between internal employees, customers, etc. We have a detailed introduction to Aurora's multi-authentication solutions in our Atlas guide: MultiAuth SSO.
You can configure the multi-authentication for your community using the ConfigureAuthProvidersmutation along with its variables.
mutation ConfigureAuthProviders($authProviderConfigurationInput: [AuthProviderConfigurationInput]!) {
configureAuthProviders(
authProviderConfigurationInput: $authProviderConfigurationInput
) {
result {
id
enabled
name
customMetadata {
showLoginForm
__typename
}
order
__typename
}
error {
... on InvalidProviderConfigurationError {
...Error
__typename
}
... on IncorrectProviderConfigurationSizeError {
...Error
__typename
}
... on PermissionDeniedError {
...Error
__typename
}
__typename
}
__typename
}
}
fragment Error on Error {
message
fields
__typename
}
Here are the variables to configure the multi-authentication options for your community.
{
"authProviderConfigurationInput": [
{
"id": "local",
"enabled": true,
"name": "Community Members",
"showLoginForm": true
},
{
"id": "SAML_0",
"enabled": false,
"name": "SAML"
},
{
"id": "JWT_SSO",
"enabled": true,
"name": "JWT SSO"
},
{
"id": "OIDC_0",
"enabled": true,
"name": "Khoros"
},
{
"id": "SAML_1",
"enabled": true,
"name": "SAML1"
},
{
"id": "khorosSso",
"enabled": false,
"name": "Khoros SSO"
}
]
}
Here is the response to the GraphQL query.
{
"data": {
"configureAuthProviders": {
"result": [
{
"id": "local",
"enabled": true,
"name": "Community Members",
"customMetadata": {
"showLoginForm": true,
"__typename": "CustomAuthMetadata"
},
"order": 0,
"__typename": "AuthProvider"
},
{
"id": "JWT_SSO",
"enabled": true,
"name": "JWT SSO",
"customMetadata": null,
"order": 2,
"__typename": "AuthProvider"
},
{
"id": "SAML_0",
"enabled": false,
"name": "SAML",
"customMetadata": null,
"order": 1,
"__typename": "AuthProvider"
},
{
"id": "SAML_1",
"enabled": true,
"name": "SAML1",
"customMetadata": null,
"order": 4,
"__typename": "AuthProvider"
},
{
"id": "OIDC_0",
"enabled": true,
"name": "Khoros",
"customMetadata": null,
"order": 3,
"__typename": "AuthProvider"
},
{
"id": "khorosSso",
"enabled": false,
"name": "Khoros SSO",
"customMetadata": null,
"order": 5,
"__typename": "AuthProvider"
}
],
"error": null,
"__typename": "AuthProviderConfigurationResponse"
}
}
}
Retrieve the Configured Provider details
You can retrieve the configured provider details for each authentication mechanism using the GraphQL query.
query authProviders{
authProviders {
id
name
enabled
authMechanism
registrationURL
loginURL
logoutURL
order
}
}
Here is the response to the GraphQL query.
{
"data": {
"authProviders": [
{
"id": "local",
"name": "SignIn",
"enabled": true,
"authMechanism": "LOCAL",
"registrationURL": "",
"loginURL": "",
"logoutURL": "",
"order": 0
},
{
"id": "khorosSso",
"name": "SignIn With Khoros SSO",
"enabled": false,
"authMechanism": "KHOROS_SSO",
"registrationURL": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=register",
"loginURL": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=login",
"logoutURL": "https://sso-client-tester.qa.lithium.com/SSOClientTester?lia.site=https://[COMMUNITY DOMAIN]&type=logoff",
"order": 1
},
{
"id": "saml0",
"name": "SignIn with SAML",
"enabled": false,
"authMechanism": "SAML_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/auth/saml/doauth/redirect?idp=0",
"logoutURL": "https://[COMMUNITY DOMAIN]/auth/saml/dologout/redirect?idp=0",
"order": 2
},
{
"id": "saml1",
"name": "SignIn with SAML1",
"enabled": false,
"authMechanism": "SAML_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/auth/saml/doauth/redirect?idp=1",
"logoutURL": "https://[COMMUNITY DOMAIN]/auth/saml/dologout/redirect?idp=1",
"order": 3
},
{
"id": "saml2",
"name": "SignIn with SAML2",
"enabled": false,
"authMechanism": "SAML_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/auth/saml/doauth/redirect?idp=2",
"logoutURL": "https://[COMMUNITY DOMAIN]/auth/saml/dologout/redirect?idp=2",
"order": 4
},
{
"id": "onelogin2",
"name": "SignIn with onelogin2",
"enabled": false,
"authMechanism": "OIDCSS_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_login_redirect/provider/onelogin2",
"logoutURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_logout_redirect/provider/onelogin2",
"order": 5
},
{
"id": "oidcidp1",
"name": "SignIn with oidcidp1",
"enabled": false,
"authMechanism": "OIDCSS_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_login_redirect/provider/oidcidp1",
"logoutURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_logout_redirect/provider/oidcidp1",
"order": 6
},
{
"id": "onelogin",
"name": "SignIn with onelogin",
"enabled": false,
"authMechanism": "OIDCSS_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_login_redirect/provider/onelogin",
"logoutURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_logout_redirect/provider/onelogin",
"order": 7
},
{
"id": "oidcidp2",
"name": "SignIn with oidcidp2",
"enabled": false,
"authMechanism": "OIDCSS_SSO",
"registrationURL": "",
"loginURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_login_redirect/provider/oidcidp2",
"logoutURL": "https://[COMMUNITY DOMAIN]/v1/auth/oidcss/sso_logout_redirect/provider/oidcidp2",
"order": 8
}
]
}
}
Retrieve the SAML settings/h2>
You can retrieve and know the different parameters set to your community for the multi-authentication mechanisms.
Here is the query to retrieve the metadata for the SAML settings.
query {
community {
samlSettings {
idpMetadata {
key
value
}
}
}
}
Here is the response to the above query.
{
"data": {
"community": {
"samlSettings": {
"idpMetadata": {
"key": "saml.idp_metadata",
"value": "\r\n\r\n \r\n \r\n \r\n \r\n MIID3DCCAsSgAwIBAgIUDd2/v5GirT3RwgJ8w/oiZgnXvagwDQYJKoZIhvcNAQEF\r\nBQAwRTEQMA4GA1UECgwHSW5mb3N5czEVMBMGA1UECwwMT25lTG9naW4gSWRQMRow\r\nGAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDAeFw0yMzA4MDcxMzM0MTZaFw0yODA4\r\nMAAABBBCCCDDDEEEFFFGGGHHHHIIIIIJJJJJKKKKKLLLLLL\r\n \r\n \r\n \r\n \r\n \r\n urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\r\n \r\n \r\n \r\n \r\n \r\n"
}
}
}
}
}Retrieve the OIDC settings
You can retrieve and know the OIDC settings that were configured for your community.
Here is the query to retrieve the various fields of the OIDC authentication mechanisms.
query {
openIdConnectSelfServiceIdps {
provider {
providerId
providerName
clientId
clientSecret
}
advanced {
redirectURIOverride
}
authorization {
url
responseType
scope
persistParams
staticParams
}
token {
url
clientAuthMethod
staticParams
headerParams
claimMapping {
firstName
}
jwtSettings {
disableValidation
audOverride
issuer
jwksUri
}
}
userInfo {
url
staticParams
claimMapping {
ssoId
email
firstName
lastName
emailVerified
address2
rolesToAdd
rolesToRemove
country
language
state
acceptTermsOfService
is13OrOlder
emailVerified
login
}
}
logoutSettings {
frontendLogout {
staticParams
url
alternateNameForPostLogoutRedirectURIParameter
}
rpInitiated {
url
authMethod
tokenMethod
paramName
paramsPassthrough
staticParams
}
opInitiated {
enabled
allowIframe
url
iframeRedirectUrl
}
}
}
}
Here is the response to the above graphQL query.
{
"data": {
"openIdConnectSelfServiceIdps": [
{
"provider": {
"providerId": "[PROVIDER ID]",
"providerName": "[PROVIDER NAME]",
"clientId": "AAABBBCCC-1122-112C-1A21-112233344455556777",
"clientSecret": "AAABBBCCCCDDDDDDEEEEEFFFFFFFGGGGGGHHHHHHIIIIIIIIIIJJJJJJJJJ"
},
"advanced": {
"redirectURIOverride": ""
},
"authorization": {
"url": "https://[PROVIDER URL]/oidc/2/auth",
"responseType": "code",
"scope": "openid profile email params",
"persistParams": false,
"staticParams": null
},
"token": {
"url": "https://[PROVIDER URL]/oidc/2/token",
"clientAuthMethod": "CLIENT_SECRET_BASIC",
"staticParams": null,
"headerParams": null,
"claimMapping": {
"firstName": null
},
"jwtSettings": {
"disableValidation": false,
"audOverride": "",
"issuer": "https://[PROVIDER URL]/oidc/2",
"jwksUri": "https://[PROVIDER URL]/oidc/2/certs"
}
},
"userInfo": {
"url": "https://[PROVIDER URL]/oidc/2/me",
"staticParams": null,
"claimMapping": {
"ssoId": "sub",
"email": "email",
"firstName": "given_name",
"lastName": "family_name",
"emailVerified": null,
"address2": null,
"rolesToAdd": "params.roleToLink",
"rolesToRemove": "params.roleToUnLink",
"country": null,
"language": null,
"state": null,
"acceptTermsOfService": null,
"is13OrOlder": null,
"login": "preferred_username"
}
},
"logoutSettings": {
"frontendLogout": {
"staticParams": null,
"url": "https://[PROVIDER URL]/oidc/2/logout",
"alternateNameForPostLogoutRedirectURIParameter": null
},
"rpInitiated": {
"url": null,
"authMethod": "NONE",
"tokenMethod": "NONE",
"paramName": "",
"paramsPassthrough": false,
"staticParams": null
},
"opInitiated": {
"enabled": false,
"allowIframe": false,
"url": "",
"iframeRedirectUrl": ""
}
}
},
{
"provider": {
"providerId": "[PROVIDER ID]",
"providerName": "[PROVIDER NAME]",
"clientId": "AAABBBCCC-1122-112C-1A21-112233344455556777",
"clientSecret": "AAABBBCCCCDDDDDDEEEEEFFFFFFFGGGGGGHHHHHHIIIIIIIIIIJJJJJJJJJ"
},
"advanced": {
"redirectURIOverride": ""
},
"authorization": {
"url": "https://[PROVIDER URL]/oidc/2/auth",
"responseType": "code",
"scope": "openid profile email params",
"persistParams": false,
"staticParams": null
},
"token": {
"url": "https://[PROVIDER URL]/oidc/2/token",
"clientAuthMethod": "CLIENT_SECRET_BASIC",
"staticParams": null,
"headerParams": null,
"claimMapping": {
"firstName": null
},
"jwtSettings": {
"disableValidation": false,
"audOverride": "",
"issuer": "https://[PROVIDER URL]/oidc/2",
"jwksUri": "https://[PROVIDER URL]/oidc/2/certs"
}
},
"userInfo": {
"url": "https://[PROVIDER URL]/oidc/2/me",
"staticParams": null,
"claimMapping": {
"ssoId": "sub",
"email": "email",
"firstName": "given_name",
"lastName": "family_name",
"emailVerified": null,
"address2": null,
"rolesToAdd": "params.roleToLink",
"rolesToRemove": "params.roleToUnLink",
"country": null,
"language": null,
"state": null,
"acceptTermsOfService": null,
"is13OrOlder": null,
"login": "preferred_username"
}
},
"logoutSettings": {
"frontendLogout": {
"staticParams": null,
"url": "https://[PROVIDER URL]/oidc/2/logout",
"alternateNameForPostLogoutRedirectURIParameter": null
},
"rpInitiated": {
"url": null,
"authMethod": "NONE",
"tokenMethod": "NONE",
"paramName": "",
"paramsPassthrough": false,
"staticParams": null
},
"opInitiated": {
"enabled": false,
"allowIframe": false,
"url": "",
"iframeRedirectUrl": ""
}
}
}
]
}
}Additional Resources
You can find out more about configuring the SSO settings in the Admin using the following guides:
ATLAS
Comments