Single-Sign On

Owned by Nora Kinal
Last updated: Sept 16, 2019
1 min read

Overview

This document is intended to help Support users set up MCS products (Newton, Franklin, Edison, DataCenter and MSA Client) Single Sign-On.


The Single Sign-on feature provides the ability for users to login to multiple applications with the same login credentials (username and password). 


Admin Console Security

OIDC Configuration

You are not able to use both LDAP and OIDC Settings at the same time. Selecting the checkbox for one setting will remove all data from the other setting.

The Open ID Connect (OIDC) Single Sign-on feature provides the ability for users to login to multiple applications with the same login credentials (username and password).

.NET 4.7.2 is required to use OIDC Authentication.
MCSApplicationServer must be upgraded to version 4.0.1.56306 prior to running the AdminConsole launching.

MCSApplicationServer Installation Instructions

OIDC Authentication Setup

Complete the following steps to Setup OIDC Authentication:

  1. Login to AdminConsole. You should note that the version is 1.8.1.55571 or newer. 
  2. From the Security drop-down menu, select OIDC Configuration.
  3. Click the checkbox Use OIDC for User Authentication to enable OpenId Connect Settings.

  4. Fill out the OIDC configuration settings for your District’s OIDC-compatible Identity Provider, such as Azure AD, ADFS 4.0, or Red Hat SSO 7.0.


    *Indicates a Required Field

    1. Discovery Document URL* - The discovery URL used to configure the OpenID Connect server. Typically this is in the form of https://example.com/path_to_issuer/.well-known/openid-configuration.
      For Azure AD, use https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/.well-known/openid-configuration.
      For RedHatSSO, use the format https://example.com/auth/realms/<realm-name>/.well-known/openid-configuration.
    2. Client ID* - The client id to use when communicating with the OpenID Connect (OIDC) server.
    3. Client Secret* -The client secret for the above client id to use when authenticating to the OpenID Connect (OIDC) server. For Public Key JWT, use XML representation of the RSA private key corresponding the public key known by the OIDC server.
    4. Client Auth Mode* - Use the drop-down menu to select one of the following modes: None, Basic, Post, ClientSecretJwt, PublicKeyJwt.
    5. Username Source Mode* - The source of the username to use when authenticating to the OpenID Connect (OIDC) server. For Azure AD, choose UPN.
      Use the drop-down menu to select one of the following source modes: OIDC Subject, Preferred Username, Email Address, UPN (User-Principal-Name).
    6. Browser Mode* - The initial display size of the popup-browser to display when performing client-side SSO authentication.
      Use the drop-down menu to select one of the following browser modes: Small, Normal, Maximized.
    7. Authorized User Claim Type – The claim type (name) used to identify whether or not a user is an administrator. For group membership in Azure AD, use ‘groups’ and be sure that “groupMembershipClaims” is set to “Security Group” or “1” in the app registration manifest in Azure.
    8. Authorized User Claim Value – * A regular expression used to test the value reported by the OIDC Admin User Claim. If blank, the claim value will be tested for true/false (assume false). If non-blank, the claim value will be tested to see if it is a match of this regular expression. If using ‘groups’ claim type in Azure AD, use the object id of the group (guid with dashes).
    9. Admin User Claim Type – The claim type (name) used to identify whether or not a user is an administrator. For group membership in Azure AD, use ‘groups’ and be sure that “groupMemebershipClaims” is set to “SecurityGroup” or “1” in the app registration manifest in Azure.
    10. Admin Users Claim Value – * A regular expression used to test the value reported by the OIDC Admin User Claim. If blank, the claim value will be tested for true/false (assume false). If non-blank, the claim will be tested to see if it is a match of this regular expression. If using ‘groups’ claim type in Azure AD, use the object id of the group (guid with dashes).

    11. Keycloak IDP Hint – An identify provider (IDP) that contains a hint with signing key ID.

      RedHat login hint is only required if connecting to a Red Hat SSO Server.

  5. Select Apply. Then, select Ok.

  6. Close AdminConsole.

MCS Software Login

Login to AdminConsole, Newton, Franklin, and Edison.

  1. Login to any connected MCS software.
    Note: If users were previously configured to authenticate either normally or through LDAP, the first time a user attempts to login using OIDC they will receive the following message:

    After this message appears, the username and password fields will be disabled.
  2. Now you may login to the selected software using your network credentials without typing in your password.
    Click Connect to open a new web-based single sign-on screen where you will be prompted to enter your credentials.
  3. When prompted, enter your domain credentials. Then, click Sign in.
    Note: Your domain credentials should be the same credentials with which you sign in to your work email. If unsure of your domain credentials, please contact your domain administrator.
 Microsoft Login

  1. Enter your domain username.

    The following screenshots may appear different based on your Single Sign-On provider. These screenshots are from Azure AD.

  2. Enter your password.

  3. Select Accept to proceed and login to the selected software using Single Sign-On.

    You may be requested once to grant permissions for this application to verify your identity, depending on your Single Sign-On provider.

Newton Point-of-Sale Login

Login to Newton Point-of-Sale

  1. Select Ok at the login screen.
    Note    : When using Single Sign-On, the Username and Password fields are not required on this screen.
  2. When prompted, enter your domain credentials. Then, click Sign in.
    Note: Your domain credentials should be the same credentials with which you sign in to your work email. If unsure of your domain credentials, please contact your domain administrator.