Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Make sure, that you do not already have section for camp and Keykloak in your values file. If so, replace them.

Configure the connection to the OIDC provider for Smartfacts

In the “global” global section of your values file add the information of you OIDC provider:

Code Block
  secrets:
    oauth2:
      wellknown: "https://<OIDC provider>/auth/realms/<REALM>/.well-known/openid-configuration"
    smartfacts:
      clientId: "<OIDC client>"
      clientSecret: "<OIDC client secret>"
  identity:
    OIDC_ISSUER: "https://<OIDC provider>/auth/realms/<REALM>"
  url:
    spa:
      scopes: "sf:bpm" # state the scopes here in a space separated list
      nonce: "false"
      state: "false" # if true, Smartfacts generates a state parameter while getting the token from the OIDC provider.

In lines 3 and 8 replace the placeholder <OIDC provider> with the adress of you OIDC provider and the placeholder <REALM> with the name of the realm in your OIDC provider

...

In line 6 replace the placeholder <OIDC client secret> with the client secret of the client.

Info

With Azure AD as OIDC provider it is necessary to add the path “https://graph.microsoft.com/oidc/userinfo“ to the property spa.cspConf.externalUrls. This will add the URL to the list of allowed CORS origins.

Configure the connection to the OIDC provider for the OSLC Connector for Smartfacts

To connect the OSLC Connector for Smartfacts with your OIDC provider, add the following properties in the genoslc.env section of your values file for the Smartfacts deployment, as seen below:

Code Block
    authorizationUri: "<Authorization URL of identity provider>"
    tokenUri: "<Token URI of identity provider>"
    userInfoUri: "<UserInfo URI of identity provider>"
  • Replace the placeholder in authorizationUri, tokenUri and userInfoUri with the appropriate URLs of your identity provider instance

Adopting to custom token claims

If necessary, you can adopt the deployment to use custom token claims. To do this, use the following properties in your values file:

Code Block
global
  secrets:
    oauth2:
      tokenClaims:
        id: ""
        email: ""
        name: ""
        lastName: ""
        givenName: ""

Defaults, if no settings are provided:

Property

AzureAD/EntraId

KeyCloak

id

[token]:sub

[userInfo]:sub

email

[userInfo]:email

[userInfo]:email

name

[userInfo]:username

[userInfo]:username

lastName

[userInfo]:familyName,[userInfo]:family_name

[userInfo]:familyName,[userInfo]:family_name

givenName

[userInfo]:given_name

[userInfo]:given_name

Configure access rules

In a second step access rules and optional groups must be configured. To do so create a new text file “group-rules.yaml” and paste the following text into it:

Code Block
global:
  lcam:
    rules:
      - claimgroupName: "emailSmartfacts Users"
        valueclaim: "email"
         - "@"value:
         groupName: Smartfacts- Users"@"
        groupLicence:
          - "LIC_SMARTFACTS_USER"
        accountName: "Smartfacts Account"
      - claimgroupName: "emailAccount Administrators"
        valueclaim: "email"
        value:
- accound.administrator@your.domain         groupName: Account Administrators- "account.administrator@your.domain"
        groupLicence:
          - "LIC_SMARTFACTS_USER"
        accountName: "Smartfacts Account"

To adopt the rules to your environment, configure the necessary information in the file.

Claim sources

Practical experience has shown that the values of one and the same claim can differ in the token and in the UserInfo. To take this into account and to simplify configuration, Smartfacts allows you to specify the source of a claim.

By prefixing the qualifier [token]: or [userinfo]:, you can determine from which source the value of a claim should be determined.
If "[token]:" is prefixed, the value of the claim is determined directly from the token.
If "[userinfo]:" is prefixed, the value of the claim is determined from the result of the UserInfo Endpoint of the OIDC provider.

If no qualifier is specified, "[userinfo]:" is implicitly prefixed.

e.g.

- claim: "[token]:email"
- claim: "[userinfo]:email"

Configure Allowed email adresses

...

Code Block
sudo helm upgrade --install --timeout 20m0s smartfacts mid-smartfacts/smartfacts -f values.yaml -f group-rules.yaml --version 4.17.85-genoslcv2 -n smartfacts --create-namespace

...