3.3.6.1. OpenID Connect (OIDC) Integration

In order to integrate MetaDefender Core with OIDC:

Create new application on IDP site for MetaDefender Core

We selected Okta IDP (https://www.okta.com/) as a supported IDP to demonstrate OIDC integration with MetaDefender Core.

1.) Sign in Okta site, and navigate to admin dashboard

images/download/attachments/4677103/image-20200519-070708.png

2.) Add an application, select “Web” application type, and choose “OpenID Connect” for Sign on method

images/download/attachments/4677103/image-20200519-070822.png images/download/attachments/4677103/image-20200519-071001.png

Making sure the new created application in ACTIVE list (e.g. Okta_OpenId)

images/download/attachments/4677103/image-20200519-072440.png

Access to the new created application (e.g. Okta_OpenId), navigate to “General” tab, create a new secret if not existed:

images/download/attachments/4677103/image-20200519-072833.png

Once done, expecting to have ClientID and Client secret created:

images/download/attachments/4677103/image-20200519-073125.png

On MetaDefender Core management console, create a new user directory for SSO

images/download/attachments/4677103/image-20200519-080654.png images/download/attachments/4677103/image-20200519-080741.png
  • In “IDENTIFY PROVIDER” section:

+ Fill up “Client ID” and “Client Secret” matched to what generated in IDP console:

images/download/attachments/4677103/image-20200519-084205.png

+ On MetaDefender Console current display, type your MetaDefender Core address in “HOST OR IP” field

images/download/attachments/4677103/image-20200519-084426.png

and a login redirect URL will be auto generated by MetaDefender Core, you will want to copy the full link to proceed:

images/download/attachments/4677103/image-20200519-084542.png

+ Switching to Okta IDP console, paste the login redirect URL and also input the Initiate login URI

images/download/attachments/4677103/image-20200519-084720.png

“USER IDENTIFIED BY” field:

  1. Username can be constructed by claims under profile scope

  2. Claim variable is specified by syntax ${<claim-name>}

Notes: Supported claims under profile scope are IDP specified. Please review IDP document for more details. For example, for Okta: https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1

images/download/attachments/4677103/image-20200519-081735.png
  • In “USER ROLE” section, you are supported to choose default role to map an existing MetaDefender Core local role:

images/download/attachments/4677103/image-20200519-082229.png

Or create a custom role mapping based on RegEx:

images/download/attachments/4677103/image-20200519-082211.png
  • Hit “ADD” button to finish creating new SSO user directory, by default the new created user directory is disabled:

images/download/attachments/4677103/image-20200519-082528.png

You may want to enable it for SSO login fashion

Warning: This action will auto forcefully logout all current active users

images/download/attachments/4677103/image-20200519-082803.png images/download/attachments/4677103/image-20200519-082845.png

Sign on using IDP authentication

Now hitting “LOGIN” button on MetaDefender Core management console upon created SSO user directory, it will auto redirect you to Okta IDP login page as expected:

images/download/attachments/4677103/image-20200519-085829.png
  • Logged in successfully will help you are redirected back to MetaDefender Core management console:

images/download/attachments/4677103/image-20200519-091807.png