Info |
---|
An Authentication Provider is a system or service responsible for verifying the identity of users attempting to access a resource, such as a website, application, or network. It is a crucial component of the authentication process and is often part of a larger identity and access management (IAM) system. |
Note |
---|
You need to be the org admin to access the Organization Settings. |
Tap on the icon in the corner to see the Organization Settings toolbar (if you are not admin, you will not see these options)
...
Then tap on Organization > Modify under Login and Access tile.
...
Then to the Identity Providers section.
...
Info |
---|
ConnectSecure does not support Phone/SMS verification in the new portal. Our focus is primarily on email verification to enhance security and streamline the user experience. |
...
Overview
ConnectSecure supports the following providers.
...
and Zitadel support the following Identity Providers.
Clicking on the image below will direct you to the Zitadel documentation for the supported providers.
ConnectSecure uses Zitadel as the front-end authentication to the ConnectSecure application itself.
...
Getting Started
To set up an Authentication Provider, log in at https://authprod.myconnectsecure.com and complete these steps:
Click on the Settings header at the top
Click on the Identity Providers section on the left
Tap on the tile of the provider
...
...
Each provider has their unique values and requirements for the integration. Please check out the setup guide for the individual provider(s) as required.
Microsoft
...
Browse to the App registration menus create dialog to create a new app.
Give the application a name and choose who should be able to login (Single-Tenant, Multi-Tenant, Personal Accounts, etc.) This setting will also have an impact on how to configure the provider later on in ZITADEL.
Choose "Web" in the redirect uri field and add the URL:
Example redirect url for the domain:
https://authprod.myconnectsecure.com/ui/login/login/externalidp/callback
Save the Application (client) ID and the Directory (tenant) ID from the detail page separately as these needs to copied into ConnectSecure portal.
Add client secret
Generate a new client secret to authenticate your user.
Click on client credentials on the detail page of the application or use the menu "Certificates & secrets"
Click on "+ New client secret" and enter a description and an expiry date, add the secret afterwards
Copy the value of the secret. You will not be able to see the value again after some time
...
Token configuration
To allow ZITADEL to get the information from the authenticating user you have to configure what kind of optional claims should be returned in the token.
Click on Token configuration in the side menu
Click on "+ Add optional claim"
Add email, family_name, given_name and preferred_username to the id token
...
API permissions
To be able to get all the information that ZITADEL needs, you have to configure the correct permissions.
Go to "API permissions" in the side menu
Make sure the permissions include "Microsoft Graph": email, profile and User.Read
The "Other permissions granted" should include "Microsoft Graph: openid"
...
To Add Identity Provider in Your ConnectSecure Instance.
Login to ConnectSecure portal and Click on Profile.
...
Click on Company Logo.
...
Navigate to the Settings.
Modify your login policy in the menu Login Behavior and Security.
Enable the attribute External IDP allowed.
Go to the Identity Providers Overview
Go to the Settings page of your instance or organization and choose "Identity Providers".
In the table you can see all the providers you have configured. Also, you see all provider templates that are available to be configured.
...
Select the Microsoft Provider template.
Create a new Azure AD Provider
The Microsoft template has everything you need preconfigured. You only have to add the client ID and secret, you have created in the step before.
You can configure the following settings if you like, a useful default will be filled if you don't change anything:
Scopes: The scopes define which scopes will be sent to the provider, openid
, profile
, and email
are prefilled. This information will be taken to create/update the user within ZITADEL. Make sure to also add User.Read
. ZITADEL ensures that at least openid
and User.Read
scopes are always sent.
Email Verified: Azure AD doesn't send the email verified claim in the users token, if you don't enable this setting. The user is then created with an unverified email, which results in an email verification message. If you want to avoid that, make sure to enable "Email verified". In that case, the user is created with a verified email address.
Tenant Type: Configure the tenant type according to what you have chosen in the settings of your Azure AD application previously.
Common: Choose common if you want all Microsoft accounts being able to login. In this case, configure "Accounts in any organizational directory and personal Microsoft accounts" in your Azure AD App.
Organizations: Choose organization if you have Azure AD Tenants and no personal accounts. (You have configured either "Accounts in this organization" or "Accounts in any organizational directory" on your Azure APP)
Consumers: Choose this if you want to allow public accounts. (In your Azure AD App you have configured "Personal Microsoft accounts only")
Tenant ID: If you have selected Tenant ID as Tenant Type, you have to enter the Directory (Tenant) ID into the Tenant ID field, copied previously from the Azure App configuration.
Automatic creation: If this setting is enabled the user will be created automatically within ZITADEL, if it doesn't exist.
Automatic update: If this setting is enabled, the user will be updated within ZITADEL, if some user data is changed within the provider. E.g if the lastname changes on the Microsoft account, the information will be changed on the ZITADEL account on the next login.
Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.
Account linking allowed: This setting determines if account linking is allowed. When logging in with a Microsoft account, a linkable ZITADEL account has to exist already.
...
Once the details are filled in and options are selected, click on Create.
...
Under Identity Provider table, select the created record and Click on set as available.
...
This completes setting up and adding Microsoft Azure AD Provider.
ConnectSecure portal.
Login to the ConnectSecure Portal and enter the Tenant Name.
Click on Use External Authentication to login in to portal.
...
Provide all the fields (Give Name, FamilyName, Username, E.mail, Phone number, Language) and click on Register to create user in the ConnectSecure portal.
...
You will receive a verification code at your given email.
...
Enter the verification code and click on Next to login to ConnectSecure portal.
...
Once the email address has been Successfully verified and The user will created with NO ROLE assigned to it. Admin should assign the Role as per the requirement.
The Admin user can assign the role to IDP so the user can login and access the ConnectSecure portal.
...
Admin Access
Info |
---|
Newly signed-up users are only permitted to establish SSO using the registered email ID and username associated with the organization's owner. In the event that another organization partner wishes to configure SSO, the owner of the organization must Add a Manager within the organization section. |
To manage the Admin access to manage the other members of the organization.
Select Organization click on Add + button as shown below.
...
Add a Manager and select the Login name (Current Organization).
Click on OrgOwner and click on Add to provide Admin Access.
...
...
Use Cases
Existing Email with SSO Selection:
If the user's email already exists in the system and they choose the SSO provider email during profile configuration, a new user account associated with the SSO provider will be created.
This allows users to log in with both their system user credentials and their SSO provider credentials.
Existing Email with System Profile Selection:
If the user's email already exists in the system and they choose their existing system user email during SSO profile configuration, they need to link their system user profile with their SSO user profile.
This ensures that the user can access their account using their SSO provider credentials.
(While linking the existing user profile to SSO, the initial username should match with user management list and SSO user details)
New SSO User Profile Creation:
If the SSO user profile email doesn’t exist, a new user account will be created using the SSO user profile information.
This allows new users to register and access the system using SSO provider credentials.
...
Providers
ConnectSecure and Zitadel support the following Identity Providers.
Clicking on the image below will direct you to the Zitadel documentation for the supported providers.
ConnectSecure uses Zitadel as the front-end authentication to the ConnectSecure application itself.
...
Get Support
If you have an integration-related inquiry, please email support@connectsecure.com with the details, and our Support Team will assist you.
...