Page History
...
The following integration level is available from the OIDC Identity Service Type:
Identity Service | Identity Service Configuration Items | ||||
---|---|---|---|---|---|
Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with |
OIDC-JOC | yes | OIDC Identity Provider | OIDC Identity Provider | JS7 Database | JOC Cockpit |
OIDC | yes | OIDC Identity Provider | OIDC Identity Provider | OIDC Identity Provider | JOC Cockpit |
Explanation:
- Service Type:
OIDC-JOC
- Management of user accounts with passwords is performed by the OIDC Identity Provider
- The assignment of roles to user accounts is performed by the JOC Cockpit Application.
- This is provided by the Accounts View where the a the roles are assigned to the known accounts .
- The JOC Cockpit stores user accounts and role assignments: in the JS7 - Database.
- The JOC Cockpit does not know passwords of user accounts or the access tokens of successful authentication.
- Service Type:
OIDC
- Management of user accounts with passwords is performed by the OIDC Identity Provider
- The assignment of roles to user accounts is performed by the JOC Cockpit Application.
- The accounts view is not provided when using OIDC
- The assignment of roles to accounts is provided by the group roles mapping editor in the "Manage Settings View" of the OIDC Identity Service.
- The JOC Cockpit does not store user accounts and role assignments. This is done by the the OIDC Identity Provider
- The JOC Cockpit does not know passwords of user accounts or the access tokens of successful authentication.
...
Example for Azure
Explanations:
Name | Value | Description | Example |
OIDC Name | The name of the OIDC Identity Service. | The name of the Identity Service is used by JOC Cockpit to show the caption of the assigned login button. | Google, Keycloak |
OIDC Authentication URL | The URL used by the Client to login to the OIDC Identity Provider. | This URL is called by the Client for login and returns the Access Token from the OIDC Identity Provider. It is similarly used when reading settings of the OIDC Identity Provider with the /.well-known/openid-configuration URL and is used as the issuer during token verification. | Keycloak: https://keycloak:8283/auth/realms/JOC Azure: https://sts.windows.net/<tenant-id>/.well-known/openid-configuration |
OIDC Client ID | The Client ID is configured in the OIDC Identity Provider. | The Client ID is used for a number of calls to to the OIDC Identity Provider. |
|
| The Client Secret is configured in the OIDC Identity Provider. | The Client Secret is used for a number of calls to the OIDC Identity Provider. |
|
OIDC User Name Attribute | The attribute is configured with the OIDC Identity Service. | The attribute is returned by the OIDC Identity Service and identifies the user account.
|
|
OIDC Image | An image can be uploaded that is displayed with the login page. | Optionally an image can be uploaded. . | |
OIDC Truststore Path | The Path to a truststore. | A truststore can be indicated and has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication for the Identity Provider.
|
|
|
| Use of Java truststore: /usr/lib/jvm/java-17-openjdk/lib/security/cacerts | ||
OIDC Truststore Password | Truststore password | If the indicated truststore is protected by a password then the password has to be specified. | Use of Java truststore: changeit |
OIDC Truststore Type | Truststore type | The type of the truststore is either | Use of Java truststore: PKCS12 |
OIDC Login
Once OIDC Identity Services have been configured they are displayed in JOC Cockpit's login screen like this:
...