Autonomous Identity 2022.11.1

Set Up Single Sign-On

Autonomous Identity supports single sign-on (SSO) using OpenID Connect (OIDC) JWT tokens. SSO lets you log in once and access multiple applications without the need to re-authenticate yourself. You can use any third-party identity provider (IdP) to connect to Autonomous Identity. In this example, we use ForgeRock Access Management (AM) as an OpenID Connect (OIDC) IdP for Autonomous Identity.

If you set up SSO-only, be aware that the following Autonomous Identity services are not deployed with this setting (Note: these services are supported by your SSO provider):

  • Self Service

  • Manage Identities

If you want to use these services and SSO, set up the authentication as "LocalAndSSO". With this setting, the Login page provides two authentication links: "Sign in using OpenID" and "Or sign in via email."

The following procedure requires a running instance of ForgeRock AM. For more information, see ForgeRock Access Management Quick Start Guide.

Set up SSO:
  1. First, set up your hostnames locally in /etc/hosts.
  2. Open a browser and point to Log in with username: amadmin, password: cangetinam.

  3. On AM, go to Identities > Groups, and add the following groups:

    • AutoIdAdmin

    • AutoIdEntitlementOwner

    • AutoIdExecutive

    • AutoIdSupervisor

    • AutoIdUser

  4. Add the demo user to each group.

  5. Go back to the main AM Admin UI page. Click Configure OAuth Provider.

  6. Click Configure OpenID Connect, and then Create.

  7. Go to Applications > OAuth 2.0, and then click Add Client. Enter the following properties, specific to your deployment:

    Client ID:         <autoid>
    Client secret:     <password>
    Redirection URIs:  https://<autoi-ui>.<domain>/api/sso/finish
    Scope(s):          openid profile

    For example:

    Client ID:         autoid
    Client secret:     Welcome123
    Redirection URIs:
    Scope(s):          openid profile
  8. On the New Client page, go to to the Advanced tab, and enable Implied Consent. Next, change the Token Endpoint Authentication Method to client_secret_post.

  9. Edit the OIDC claims script to return roles (groups), so that AM can match the Autonomous Identity groups.

    "groups": { claim, identity -> [ "groups" : identity.getMemberships(IdType.GROUP).collect { group -> }]}

    For more information about the OIDC claims script, see the ForgeRock Knowledge Base.

  10. The id_token returns the content that includes the group names.

      "at_hash": "QJRGiQgr1c1sOE4Q8BNyyg",
      "sub": "demo",
      "auditTrackingId": "59b6524d-8971-46da-9102-704694cae9bc-48738",
      "iss": "",
      "tokenName": "id_token",
      "groups": [
      "given_name": "demo",
      "aud": "autoid",
      "c_hash": "SoLsfc3zjGq9xF5mJG_C9w",
      "acr": "0",
      "org.forgerock.openidconnect.ops": "B15A_wXm581fO8INtYHHcwSQtJI",
      "s_hash": "bOhtX8F73IMjSPeVAqxyTQ",
      "azp": "autoid",
      "auth_time": 1592390726,
      "name": "demo",
      "realm": "/",
      "exp": 1592394729,
      "tokenType": "JWTToken",
      "family_name": "demo",
      "iat": 1592391129,
      "email": ""
  11. You have successfully configured AM as an OIDC provider. Next, we set up Autonomous Identity.

  12. Change to the Autonomous Identity install directory on the deployer machine.

    $ cd ~/autoid-config/
  13. Open a text editor, and set the SSO parameters in the /autoid-config/vars.yml file. Make sure to change LDAP to SSO.

    authentication_option: "SSO"
    oidc_issuer: ""
    oidc_auth_url: ""
    oidc_token_url: ""
    oidc_user_info_url: ""
    oidc_callback_url: ""
    oidc_jwks_url: ""
    oidc_client_scope: 'openid profile'
    oidc_groups_attribute: groups
    oidc_uid_attribute: sub
    oidc_client_id: autoid
    oidc_client_secret: Welcome1
    admin_object_id: AutoIdAdmin
    entitlement_owner_object_id: AutoIdEntitlementOwner
    executive_object_id: AutoIdExecutive
    supervisor_object_id: AutoIdSupervisor
    user_object_id: AutoIdUser
    application_owner_object_id: AutoIDAppOwner
    oidc_end_session_endpoint: ""
    oidc_logout_redirect_url: ""
  14. On the Target machine, edit the /etc/hosts file, and add an entry for
  15. On the Deployer machine, run to push the new configuration.

    $ run
  16. Test the connection now. Access The redirect should occur with the following:
Copyright © 2010-2024 ForgeRock, all rights reserved.