Single Sign-On with OpenID Identity providers

A UBIQUITY domain can be configured to implement the use of a single OpenID Connect (OIDC) identity provider, such as Azure AD, Auth0, and others.

The integration of an external identity provider can be set up in two ways:

  • Authentication only: Authentication is provided by the external identity provider but authorization is managed through permissions assigned to users and groups defined in UBIQUITY.
  • Authentication and authorization: Authentication is provided by the external identity provider but permissions are assigned only through groups in UBIQUITY where group membership occurs automatically by matching the users' groups as reported by the identity provider.
Note: Besides confirming the user's identity, the identity provider may manage any permission rights over the entities and resources of a given domain, if previously configured.
Note: A single user can be set to authenticate through either internal or external authentication.
A UBIQUITY domain can be configured to support authentication in two different ways:
  • Hybrid: (internal and external authentication) Users set both as internal and external can login. This means that a UBIQUITY domain may include users whose authentication is provided by an external identity provider but also users whose authentication is provided by UBIQUITY. The hybrid authentication is mandatory for the domain creation but it also allows a gradual transition to an external authentication/authorization for existing domains.
  • Only External: Only external users can log in, which means users whose identity is verified and stored in the identity provider.
Note: This configuration cannot be carried out through the UBIQUITY Manager. Contact the ASEM Technical Support team to set the identity provider communication configuration.
Note: When using OpenID for user authentication and authorization, user operations are neither tracked nor stored on the UBIQUITY Audit Log. This is because such operations are managed by an Identity Provider that is external to UBIQUITY. This is relevant when reviewing audit logs or performing security assessments.

Create an external user and set external authentication

To add an external user to your domain and allow for external authentication, proceed as follows:

  1. In the UBIQUITY Manager, access the Explorer > Domain view section.
  2. Click the Add resource (circled plus) button next to your domain.
  3. Select Create user account.
  4. In the Create user account window, flag the User signs in with external authentication entry.

When trying to log on to the UBIQUITY Manager, the newly created external user is then redirected to the identity provider linked to their company for external identity authentication.

Once the authentication process is complete, the user is directly logged on to the UBIQUITY Manager.

Users Synchronization

In an OpenID Connect environment, the authentication information is transferred through JWT tokens, each including claims about the token itself, the user and their permissions.

You can configure the claim types in the JWT tokens to enable users synchronization through pairing between UBIQUITY and the identity provider.

Emails are standard OpenID Connect (OIDC) claims to serve as identifiers for pairing between UBIQUITY and the identity provider. Nevertheless, you can use other claim types to enable the pairing, such as the UBIQUITY user's username.