Page Comparison

With IGEL OS 12, you can use Single Sign-On (SSO) via a cloud-based identity provider (IdP) to access the local device and apps. 

The following identity providers are supported:

• Okta

• Microsoft Entra ID (formerly known as Microsoft Azure AD)

• Ping Identity | PingOne

• VMware Workspace ONE Access

Generally, IGEL OS 12 supports OpenID Connect authentication. For IdPs that adhere closely to this standard, there is a good chance that they can be used with IGEL OS 12.

Apps and Utilities for IGEL OS 12 That Support SSO with Microsoft Entra ID

Anchor
AppsandUtilitiesforIGELOS12thatSupportSSOwithAzureAD AppsandUtilitiesforIGELOS12thatSupportSSOwithAzureAD

• IGEL Azure Virtual Desktop Client (AVD)

• Zoom client (SSO via Chromium)

• Web apps, e. g. Office 365 (SSO via Chromium) 

• Device login

• Screenlock

Apps and Utilities for IGEL OS 12 That Support SSO with Okta

Anchor
AppsandUtilitiesforIGELOS12thatSupportSSOwithOkta AppsandUtilitiesforIGELOS12thatSupportSSOwithOkta

• Web apps, e. g. Okta portal (SSO via Chromium) 

• Device login

• Screenlock

Apps and Utilities for IGEL OS 12 That Support SSO with Ping Identity / PingOne

Anchor
AppsandUtilitiesforIGELOS12thatSupportSSOwithPingIdentity AppsandUtilitiesforIGELOS12thatSupportSSOwithPingIdentity

• Web apps (SSO via Chromium) 

• Device login

• Screenlock

Apps and Utilities for IGEL OS 12 That Support SSO with VMware Workspace ONE Access

Anchor
AppsandUtilitiesforIGELOS12thatSupportSSOwithVMwareWorkspaceONEAccess AppsandUtilitiesforIGELOS12thatSupportSSOwithVMwareWorkspaceONEAccess

• VMware Horizon (if Chromium is used for authentication)

• Web apps (SSO via Chromium) 

• Device login

• Screenlock

Apps and Utilities for IGEL OS 12 That Support SSO with Other IdPs

Anchor
AppsandUtilitiesforIGELOS12thatSupportSSOwithGenericOpenID AppsandUtilitiesforIGELOS12thatSupportSSOwithGenericOpenID

• Web apps (SSO via Chromium) 

• Device login

• Screenlock

Setting up SSO with Microsoft Entra ID

To enable SSO with Entra ID on IGEL OS 12 devices, an Entra application must be registered first. Then, you can configure IGEL OS 12 to use this application for authentication; the Entra application is referenced via its Public Client Identifier.

Registering an Entra Application

1. In your Entra AD Portal, go

...

1. to App registrations > New registration.

2. Edit the data as follows and then

...

2. click Register:
   

   • Add a proper name for the application. Note that this name will be visible to the user once during the consent process for granting permissions.

...

2. •  In our example, "IGEL OS Single sign-on" is used as the name.

   • Select the

...

2. • option Accounts in this organizational directory only ([name of your organization's AD Portal] only - Single tenant).

...

2. • Under Redirect URI (optional), select the

...

2. • option Public client/

...

2. • native (mobile & desktop)

...

2. •  and enter "http://localhost/

...

2. • callback" as

...

2. • the URI.

...

2. • Image Added

3. Check if

...

3. the User.Read

...

3.  permission is granted.
   

...

3. Image Added

...

4. Click Add a permission.
   

...

4. Image Added

...

5. Select Microsoft Graph.
   

...

5. Image Added

...

6. Select Delegated permissions.
   

...

6. Image Added

7. Enable the following permissions and then

...

7. click Add permissions: 

   • email

   • openid

   • profile
     

...

7. • Image Added

8. Check if the permissions are correct.
   

...

8. Image Added

9. Go

...

9. to Certificates & secrets

...

9.  and click New client secret.
   

...

9. Image Added

10. Enter

...

10. a Description, define when the

...

10. secret Expires, and then

...

10. click Add.

...

10. Image Added

11. Copy

...

11. the Value

...

11.  of the client secret.
    

...

11. Image Added

12. Go to Overview and copy the Application (client)

...

12. ID and

...

12. the Directory (tenant) ID. In the IGEL OS configuration, these values will be used as

...

12. the Public client identifier (client/application ID)

...

12.  and the Azure ID Tenant Name/ID.
    

...

12. Image Added

Configuring IGEL OS for SSO with Entra ID

1. Go

...

1. to Security > Logon > Single Sign-On

...

1.  and edit the settings as follows:

...

1. • Enable Single Sign-On with Identity Provider.

...

1. • Set Identity Provider

...

1. •  to Azure ID.

   • Enter

...

1. • the Azure AD Tenant Name/ID. This is the value you have obtained as Directory (tenant) ID

...

1. •  in Azure AD Portal.

   • Set the

...

1. • appropriate Application (client) ID. You have obtained this value

...

1. • as Application (client) ID

...

1. •  in your Azure AD Portal.

   • Enter

...

1. • the Client secret.

...

1. • Image Added

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the device is terminated. The login screen is displayed.
   You can now use

...

3. the apps and utilities for IGEL OS 12 that support SSO with Entra

...

3. ID.
   For details on importing apps from the IGEL App Portal and installing them on IGEL OS devices, see /wiki/spaces/

...

3. HTSWIP/pages/

...

3. 126847255.
   All methods of multi-factor authentication are available except the hardware token.
   

Configuring SSO with Okta

Registering an Application in Okta

1. Log in to Okta with your admin account, and from

...

1. the Applications

...

1.  menu,

...

1. select Applications > Create App Integration.
   

...

1. Image Added

2. Edit the settings as follows and then

...

2. click Next. 

...

2. • Set Sign-in method

...

2. •  to OIDC - OpenID Connect.

...

2. • Set Application type

...

2. •  to Native Application

...

...

2. • Image Added

3. Edit the settings as follows and then

...

3. click Save.

...

3. • Under App integration name, enter a name for your application, e.g. "IGEL OS Single sign-on".

   • Make sure that as

...

3. • the Grant type, the

...

3. • option Authorization Code is selected.

...

3. • Under Sign-in redirect URIs, enter "

...

3. • http://localhost/callback".

...

3. • Image Added

     
     
     The app integration is created.

4. Select

...

4. the General

...

4.  tab and then

...

4. click Edit.

...

4. Image Added

...

5. Under Client authentication,

...

5. select Client secret

...

5.  and make sure that

...

5. under Proof Key for Code Exchange (PKCE), Require PKCE as additional verification

...

5.  is enabled. Afterward,

...

5. click Save.
   

...

5. Image Added

   
   The client secret will be created.

6. Copy

...

6. the Client ID

...

6.  and the Secret (client secret).

...

6. Image Added

Configuring IGEL OS for SSO with Okta

1. Go

...

1. to Security > Logon > Single Sign-On

...

1.  and edit the settings as follows:

...

1. • Enable Single Sign-On with Identity Provider.

...

1. • Set Identity Provider

...

1. •  to Okta.

   • Provide

...

1. • the Okta URL

...

1. •  for your user. This is the Okta organization URL. Example: "https://mycompany.okta.com/"

   • Provide

...

1. • the Client ID. This is the client ID that was created in Okta.

   • Provide

...

1. • the Client secret.

...

1. • 
     

     Image Added

     
     

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the

...

3. device is terminated after the profile is applied.

...

3.  The login screen is displayed.
   You can now use

...

3. the apps and utilities for IGEL OS 12 that support SSO with Okta.
   If you want to

...

3. use multi-factor authentication, you can configure this in the Okta console. The available methods are Google Authenticator, E-Mail, and Okta Verify.

Setting up SSO with Ping Identity / PingOne

Setting up Your Application

1. Log in to your PingIdentity account, go

...

1. to Applications, and click the add symbol to create a new application.

...

1. Image Added

2. Provide

...

2. an Application Name,

...

2. select Native as the Application Type, and

...

2. click Save.

...

2. Image Added

3. Select

...

3. the Configuration

...

3.  tab and click the edit button.

...

3. Image Added

4. Edit the configuration as described below and

...

4. click Save.

   • Response Type:

...

4. • Select Code.

   • Grant Type:

...

4. • Select Authorization Code

...

4. •  and set PKCE Enforcement

...

4. •  to S256_REQUIRED.

   • Redirect URIs:

...

4. • Enter http://localhost/callback

   • Token Endpoint Authentication Methods:

...

4. • Select Client Secret Post.
     

...

4. • Image Added

5. Select

...

5. the Resources

...

5.  tab and click the edit button.
   

...

5. Image Added

6. Ensure that the following resource scopes are activated and

...

6. click Save.

   • email

   • openid

   • profile
     

...

6. • Image Added

7. Review the list

...

7. of ALLOWED SCOPES.
   

...

7. Image Added

8. Select the Configuration tab and copy the following data for later use:

   • Client ID

   • Client Secret

...

7. • Image Added

9. Expand the list

...

9. of URLs

...

9.  and copy

...

9. the Issuer

...

9.  URL for later use.

...

9. Image Added

10. Activate your application.

...

9. Image Added

Configuring IGEL OS for SSO with Ping Identity / PingOne

1. Go

...

1. to Security > Logon > Single Sign-On

...

1.  and edit the settings as follows:

...

1. • Enable Single Sign-On with Identity Provider.

...

1. • Set Identity Provider

...

1. •  to Ping Identity | PingOne.

   • Provide

...

1. • the PingOne issuer URL

...

1. •  for your user. This is

...

1. • the Issuer

...

1. •  URL provided in the Ping Identity configuration portal. Example: https://auth.pingone.eu/0815abc-xyz123456/as

   • Provide

...

1. • the Client ID. This is the client ID that was created in Ping Identity.

   • Provide

...

1. • the Client secret.

...

1. • 
     

     Image Added

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the

...

3. device is terminated after the profile is applied.

...

3.  The login screen is displayed.
   You can now use

...

3. the apps and utilities for IGEL OS 12 that support SSO with Ping Identity / PingOne.
   If you want to

...

3. use multi-factor authentication, you can configure this in the Ping Identity console.

Setting up SSO with VMware Workspace ONE Access

Registering an Application in VMware Workspace ONE Access

1. In the VMware Workspace ONE Access console, go

...

1. to Settings > OAuth 2.0 Management

...

1.  and click Add client.

...

1. Image Added

2. Set up the client as follows and finally

...

2. click Save.

   • Access type:

...

2. • Select User Access Token.

   • Client type:

...

2. • Select Confidential.

   • Client ID: Enter a client ID that suits your needs; respect the allowed characters. Example: IGEL_OS_SSO

   • Grant type:

...

2. • Enable Authorization Code Grant. 

   • Redirect URI:

...

2. • Enter http://localhost/callback

   • User grant:

...

2. • Disable Prompt users for scope acceptance.

   • Scope: Edit the settings as follows:

     • Email: Enabled

     • Profile: Enabled

     • User: Disabled

     • NAPPS: Disabled

     • OpenID: Enabled

     • Group: Disabled

     • Admin: Disabled

   • PKCE support: This option is enabled

...

2. • because Authorization Code Grant

...

2. •  is selected as

...

2. • the Grant type.

   • Issue refresh token: Enable or disable this option according to your needs.

   • Access token TTL: Adjust the time to live for the authorization token according to your needs.

   • Idle token TTL: Adjust the time to live for the idle token according to your needs.
     

...

2. • Image Added

3. Review the settings and copy the following data for later use:

   • Client ID

   • Shared Secret
     

...

3. • Image Added

Configuring IGEL OS for SSO with VMware Workspace ONE Access

1. Go

...

1. to Security > Logon > Single Sign-On

...

1.  and edit the settings as follows:

...

1. • Enable Single Sign-On with Identity Provider.

...

1. • Set Identity Provider

...

1. •  to VMware Workspace ONE Access.

   • Provide

...

1. • the Workspace ONE Access issuer URL

...

1. •  for your user. Pattern: https://<YOUR WORKSPACE ONE ACCESS URL>/SAAS/auth

   • Provide

...

1. • the Client ID. This is the client ID that was created in VMware Workspace ONE Access.

   • Provide

...

1. • the Client secret.
     

     Image Modified

...

1. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the

...

3. device is terminated after the profile is applied.

...

3.  The login screen is displayed.
   You can now use

...

3. the apps and utilities for IGEL OS 12 that Support SSO with VMware Workspace ONE Access.
   If you want to

...

3. use multi-factor authentication, you can configure this in the VMware Workspace ONE Access portal.

Configuring SSO with Other IdPs That Use OpenID Connect

For setting up your application or client, the exact procedure depends on the exact OpenID Connect solution you are using. Therefore, the settings in the IdP console can only be described generically.

Setting up Your Application / Client

In your IdP console, edit the parameters as follows (the exact parameter names will probably deviate):

Configuring IGEL OS for SSO with Generic OpenID Connect

1. Go

...

1. to Security > Logon > Single Sign-On

...

1.  and edit the settings as follows:

...

1. • Enable Single Sign-On with Identity Provider.

...

1. • Set Identity Provider

...

1. •  to OpenID Connect.

   • Provide

...

1. • the Issuer URL

...

1. •  for your user. This is

...

1. • the Issuer

...

1. •  URL provided in the IdP console. Example for Keycloak: https://keycloak.yourcompany.com/realms/yourrealm

   • Provide

...

1. • the Client ID. This is the client ID that was created

...

1. • in the IdP console.

   • Provide

...

1. • the Client secret.
     

...

1. • Image Added

...

1. Click Save or Save and close.
   The desktop of the device is terminated. The login screen is displayed.
   You can now use

...

1. the apps and utilities for IGEL OS 12 that support SSO with OpenID Connect (generic).
   For details on importing apps from the IGEL App Portal and installing them on IGEL OS devices, see /wiki/spaces/

...

1. HTSWIP/pages/

...

1. 126847255 .
   For supported multi-factor authentication methods, check the documentation of your IdP.

Enabling Local Login (Optional)

To have a fallback option if something goes wrong with SSO, e.g. a network failure, it is recommended to configure local login in addition. 

1. Open the profile configurator and go

...

1. to Security > Logon > Local user.

...

2. Activate Login with local user password

...

2.  and enter a password.
   

...

2. Image Added