Versions Compared

Version Old Version 16 New Version 17
Changes made by

Nora Kinal

Nora Kinal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
Top
Top


Panel
bgColor#ffffff
titleColor#ffffff
titleBGColor#5084ee
titleOverview

The Security tab is made up of a few Administrative functions, such as changing your own password, managing users, and configuring authentication methods.

...

Excerpt

Anchor
ACOIDC
ACOIDC
OIDC Configuration

Note

You are not able to use both LDAP and OIDC Settings at the same time. Selecting the checkbox for one setting will remove all data from the other setting.

The Open ID Connect (OIDC) Single Sign-on feature provides the ability for users to login to multiple applications with the same login credentials (username and password).

Info

.NET 4.72 is required to use OIDC Authentication.
MCSApplicationServer must be upgraded to version 4.0.1.56306 prior to running the AdminConsole launching.


Red Hat

District’s OIDC-compatible Identity Provider, such as Azure AD, ADFS 4.0, or Red Hat SSO 7.0.

Image Added
*Indicates a Required Field

  1. Discovery Document URL* - The discovery URL used to configure the OpenID Connect server. Typically this is in the form of https://example.com/path_to_issuer/.well-known/openid-configuration.
    For Azure AD, use https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/.well-known/openid-configuration.
    For RedHatSSO, use the format https://example.com/auth/realms/<realm-name>/.well-known/openid-configuration.
  2. Client ID* - The client id to use when communicating with the OpenID Connect (OIDC) server.
  3. Client Secret* -The client secret for the above client id to use when authenticating to the OpenID Connect (OIDC) server. For Public Key JWT, use XML representation of the RSA private key corresponding the public key known by the OIDC server.
  4. Client Auth Mode* - Use the drop-down menu to select one of the following modes: None, Basic, Post, ClientSecretJwt, PublicKeyJwt.
  5. Username Source Mode* - The source of the username to use when authenticating to the OpenID Connect (OIDC) server. For Azure AD, choose UPN.
    Use the drop-down menu to select one of the following source modes: OIDC Subject, Preferred Username, Email Address, UPN (User-Principal-Name).
  6. Browser Mode* - The initial display size of the popup-browser to display when performing client-side SSO authentication.
    Use the drop-down menu to select one of the following browser modes: Small, Normal, Maximized.
  7. Authorized User Claim Type – The claim type (name) used to identify whether or not a user is an administrator. For group membership in Azure AD, use ‘groups’ and be sure that “groupMembershipClaims” is set to “Security Group” or “1” in the app registration manifest in Azure.
  8. Authorized User Claim Value – * A regular expression used to test the value reported by the OIDC Admin User Claim. If blank, the claim value will be tested for true/false (assume false). If non-blank, the claim value will be tested to see if it is a match of this regular expression. If using ‘groups’ claim type in Azure AD, use the object id of the group (guid with dashes).
  9. Admin User Claim Type – The claim type (name) used to identify whether or not a user is an administrator. For group membership in Azure AD, use ‘groups’ and be sure that “groupMemebershipClaims” is set to “SecurityGroup” or “1” in the app registration manifest in Azure.
  10. Admin Users Claim Value – * A regular expression used to test the value reported by the OIDC Admin User Claim. If blank, the claim value will be tested for true/false (assume false). If non-blank, the claim will be tested to see if it is a match of this regular expression. If using ‘groups’ claim type in Azure AD, use the object id of the group (guid with dashes).

  11. Keycloak IDP Hint – An identify provider (IDP) that contains a hint with signing key ID.

Panel
borderColor#5084ee
borderWidth2
borderStylesolid
titleOIDC Authentication Setup

Complete the following steps to Setup OIDC Authentication:

  1. Within Login to AdminConsole. You should note that the version is 1.8.1.55571 or newer. 
  2. From the Security drop-down menu, select OIDC Configuration.
  3. Click the checkbox Use OIDC for User Authentication to enable OpenId Connect Settings.

  4. Fill out the OIDC configuration settings for your District.

    Tip

    Hover over each field to view details.

    Image Removed

Info
Info

RedHat login hint is only required if connecting to a Red Hat SSO Server.


  • Select Apply. Then, select Ok.

  • Close AdminConsole.


    • Note: If users were previously configured to authenticate either normally or through LDAP, the first time a user attempts to login using OIDC they will receive the following message:
    Image Modified
    After that this message appears, the username and password fields will be disabled.
  • Now you may login to the selected software using your network credentials without typing in your password.
    Click Connect to open to open a new web-based single sign-on screen where users must enter their you will be prompted to enter your credentials.
    Image Modified
  • When prompted, enter your domain credentials. Then, click Sign in.
    Note: Your domain credentials should be the same credentials with which you sign in to your work email. If unsure of your domain credentials, please contact your domain administrator.
    Image Added
    • Panel
    borderColor#5084ee
    borderWidth2
    borderStylesolid
    titleMCS Software Login

    Login to AdminConsole, Newton, Franklin, and Edison.

    1. Login to any connected MCS software.
    Info
    Expand
    titleMicrosoft Login

    1. Enter your domain username.

      Info

      The following screenshots may appear different based on your Single Sign-On provider. These screenshots are from Azure AD.

      Image Modified

    2. Enter your password.
      Image Modified

    3. Select Accept to proceed and login to the selected software using Single Sign-On.

      Note

      You may be requested once to grant permissions for this application to verify your identity, depending on your Single Sign-On provider.

      Image Modified

    expand





    Redhat
    Panel
    borderColor#5084ee
    borderWidth2
    borderStylesolid
    title
    Newton Point-of-Sale Login
    Logging into

    Login to Newton Point-of-Sale

    Select Ok
    1. Select Ok at the login screen.
    Info
    1. Note: When using Single Sign-On, the Username and Password fields are not required on this screen.
    Image Removed
    1. Image Added
    2. When prompted, enter your domain credentials. Then,
    click 
    1. click Sign in.
    Tip
    1. Note: Your domain credentials should be the same credentials with which you sign in to your work email. If unsure of your domain credentials, please contact your domain administrator.
    Image Removed
    1. Image Added


    Return to Top