...
Generally, IGEL OS 12 supports OpenID Connect authentication. For IdPs that adhere closely to this standard, there is a good chance that they can be used with IGEL OS 12.
Info |
---|
Generally, you can edit the IGEL OS 12 device configuration as follows:
The best practice to configure your devices is via profiles. For details on how to create profiles, see /wiki/spaces/HTSWICP/pages/83886925Creating a Profile. |
Apps and Utilities for IGEL OS 12 That Support SSO with Microsoft Entra ID
Anchor | ||||
---|---|---|---|---|
|
...
Go to Security > Logon > Single Sign-On and edit the settings as follows:
Enable Single Sign-On with Identity Provider.
Set Identity Provider to Azure ID.
Enter the Azure AD Tenant Name/ID. This is the value you have obtained as Directory (tenant) ID in Azure AD Portal.
Set the appropriate Application (client) ID. You have obtained this value as Application (client) ID in your Azure AD Portal.
Enter the Client secret.
Include Page IGELOS12BSDOCP:_SSO Autologin IGELOS12BSDOCP:_SSO Autologin Click Save or Save and close.
The desktop of the device is terminated. The login screen is displayed.
You can now use the apps and utilities for IGEL OS 12 that support SSO with Entra AD.
For details on importing apps from the IGEL App Portal and installing them on IGEL OS devices, see /wiki/spaces/HTSWICP/pages/83886925 and /wiki/spaces/HTSWICP/pages/83886925IGEL UMS 12: Basic Configuration and Assignment of Apps and Profiles.
All methods of multi-factor authentication are available except the hardware token.
...
Log in to Okta with your admin account, and from the Applications menu, select Applications > Create App Integration.
Edit the settings as follows and then click Next.
Set Sign-in method to OIDC - OpenID Connect.
Set Application type to Native Application.
Edit the settings as follows and then click Save.
Under App integration name, enter a name for your application, e.g. "IGEL OS Single sign-on".
Make sure that as the Grant type, the option Authorization Code is selected.
Under Sign-in redirect URIs, enter "http://localhost/callback".
The app integration is created.
Select the General tab and then click Edit.
Under Client authentication, select Client secret and make sure that under Proof Key for Code Exchange (PKCE), Require PKCE as additional verification is enabled. Afterward, click Save.
The client secret will be created.Copy the Client ID and the Secret (client secret).
...
Log in to your PingIdentity account, go to Applications, and click the add symbol to create a new application.
Provide an Application Name, select Native as the Application Type, and click Save.
Select the Configuration tab and click the edit button.
Edit the configuration as described below and click Save.
Response Type: Select Code.
Grant Type: Select Authorization Code and set PKCE Enforcement to S256_REQUIRED.
Redirect URIs: Enter
http://localhost/callback
Token Endpoint Authentication Methods: Select Client Secret Post.
Select the Resources tab and click the edit button.
Ensure that the following resource scopes are activated and click Save.
email
openid
profile
Review the list of ALLOWED SCOPES.
Select the Configuration tab and copy the following data for later use:
Client ID
Client Secret
Expand the list of URLs and copy the Issuer URL for later use.
Activate your application.
Configuring IGEL OS for SSO with Ping Identity / PingOne
...
In your IdP console, edit the parameters as follows (the exact parameter names will probably deviate):
Parameter | Values |
---|---|
Response type | code |
Scopes | openid, profile, email |
Redirect URI | http://localhost/callback |
Code challenge method | S256 |
Response mode | fragment |
Client authentication | client_secret_post |
Configuring IGEL OS for SSO with Generic OpenID Connect
Go to Security > Logon > Single Sign-On and edit the settings as follows:
Enable Single Sign-On with Identity Provider.
Set Identity Provider to OpenID Connect.
Provide the Issuer URL for your user. This is the Issuer URL provided in the IdP console. Example for Keycloak: https://keycloak.yourcompany.com/realms/yourrealm
Provide the Client ID. This is the client ID that was created in the IdP console.
Provide the Client secret.
Click Save or Save and close.
The desktop of the device is terminated. The login screen is displayed.
You can now use the apps and utilities for IGEL OS 12 that support SSO with OpenID Connect (generic).
For details on importing apps from the IGEL App Portal and installing them on IGEL OS devices, see /wiki/spaces/HTSWICP/pages/83886925 and /wiki/spaces/HTSWICP/pages/83886925IGEL UMS 12: Basic Configuration and Assignment of Apps and Profiles.
For supported multi-factor authentication methods, check the documentation of your IdP.
...