Configuring OIDC
BCS Configuration
Before WDA can use OIDC, BCS needs to be configured to support it. (since BCS version 6.0.406.0)
For details, please check the BCSTechManual "6.4.6 BCS and OpenID Connect / JSON Web Tokens". (The chapter number and title may vary in different versions)
BCSS Configuration
It is worth mentioning that new version (since 3.3.317.0) of BCSS supports OIDC without special configurations. However, being a client of BCS, the shared client configuration to connect to BCS is needed, specifically WSPort and WSSPort under Digas\PlanServer\BCS_SERVER.
WDA Configuration
OIDC is supported in WDA as an opt-in feature, therefore some metadata needs to be configured at the "backend", currently, i.e., in the settings.json.
A valid configuration could be as the following:
OIDC Configuration in JSON
{
"oidc": {
"providers": [
{
"name": "DIS",
"url": "http://vm-dpedemo:5000/",
"default": false
},
{
"name": "ADFS",
"url": "https://dpe2019.davidsystems.com/adfs"
}
]
}
}
Some points:
- If there is a valid truthy default provider configured, WDA will do automatic SSO when a user visits the login page of WDA.
- If there is no truthy default provider configured, WDA will not do automatic SSO which gives the user on login page choice to chose among different login options.
- Multiple defaults are allowed in configuration but only the first default would take effect
Related Information
- Currently, WDA only explicitly supports DIS a.k.a. DigaSystem Identity Server (possible with AD-sync with Windows ADFS) as OIDC providers and multiple DIS servers are possible to be used as providers in configuration.
- Using Windows ADFS as direct OIDC provider for WDA is planned but not yet supported.