Page Comparison

...

Generally, IGEL OS 12 supports OpenID Connect authentication. For IdPs that adhere closely to this standard, there is a good chance that they can be used with IGEL OS 12.

Apps and Utilities for IGEL OS 12 That Support SSO with Microsoft Entra ID

Anchor
AppsandUtilitiesforIGELOS12thatSupportSSOwithAzureAD AppsandUtilitiesforIGELOS12thatSupportSSOwithAzureAD

...

1. In your Entra AD Portal, go to App registrations > New registration.

2. Edit the data as follows and then click Register:
   

   • Add a proper name for the application. Note that this name will be visible to the user once during the consent process for granting permissions. In our example, "IGEL OS Single sign-on" is used as the name.

   • Select the option Accounts in this organizational directory only ([name of your organization's AD Portal] only - Single tenant).

   • Under Redirect URI (optional), select the option Public client/native (mobile & desktop) and enter "http://localhost/callback" as the URI.

...

2. • Image Added

3. Check if the User.Read permission is granted.
   

...

3. Image Added

4. Click Add a permission.
   

...

4. Image Added

5. Select Microsoft Graph.
   

...

5. Image Added

6. Select Delegated permissions.
   

...

6. Image Added

7. Enable the following permissions and then click Add permissions: 

   • email

   • openid

   • profile
     

...

7. • Image Added

8. Check if the permissions are correct.
   

...

8. Image Added

9. Go to Certificates & secrets and click New client secret.
   

...

9. Image Added

10. Enter a Description, define when the secret Expires, and then click Add.

...

10. Image Added

11. Copy the Value of the client secret.
    

...

11. Image Added

12. Go to Overview and copy the Application (client) ID and the Directory (tenant) ID. In the IGEL OS configuration, these values will be used as the Public client identifier (client/application ID) and the Azure ID Tenant Name/ID.
    

...

12. Image Added

Configuring IGEL OS for SSO with Entra ID

1. Go to Security > Logon > Single Sign-On and edit the settings as follows:

   IGELOS12BSDOCP:_SSO AutologinIGELOS12BSDOCP:_SSO Autologin

   • Enable Single Sign-On with Identity Provider.

   • Set Identity Provider to Azure ID.

   • Enter the Azure AD Tenant Name/ID. This is the value you have obtained as Directory (tenant) ID in Azure AD Portal.

   • Set the appropriate Application (client) ID. You have obtained this value as Application (client) ID in your Azure AD Portal.

   • Enter the Client secret.

     Image Removed
   Include Page

   • Image Added

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the device is terminated. The login screen is displayed.
   You can now use the apps and utilities for IGEL OS 12 that support SSO with Entra

...

3. ID.
   For details on importing apps from the IGEL App Portal and installing them on IGEL OS devices, see /wiki/spaces/

...

3. HTSWIP/pages/

...

3. 126847255.
   All methods of multi-factor authentication are available except the hardware token.
   

Configuring SSO with Okta

...

1. Log in to Okta with your admin account, and from the Applications menu, select Applications > Create App Integration.
   Image Removed

   Image Added

2. Edit the settings as follows and then click Next. 

   • Set Sign-in method to OIDC - OpenID Connect.

   • Set Application type to Native Application

...

...

2. • Image Added

3. Edit the settings as follows and then click Save.

   • Under App integration name, enter a name for your application, e.g. "IGEL OS Single sign-on".

   • Make sure that as the Grant type, the option Authorization Code is selected.

   • Under Sign-in redirect URIs, enter "http://localhost/callback".

...

3. • Image Added

     
     
     The app integration is created.

4. Select the General tab and then click Edit.

...

4. Image Added

5. Under Client authentication, select Client secret and make sure that under Proof Key for Code Exchange (PKCE), Require PKCE as additional verification is enabled. Afterward, click Save.
   

...

5. Image Added

   
   The client secret will be created.

6. Copy the Client ID and the Secret (client secret).

...

6. Image Added

Configuring IGEL OS for SSO with Okta

1. Go to Security > Logon > Single Sign-On and edit the settings as follows:

   IGELOS12BSDOCP:_SSO AutologinIGELOS12BSDOCP:_SSO Autologin

   • Enable Single Sign-On with Identity Provider.

   • Set Identity Provider to Okta.

   • Provide the Okta URL for your user. This is the Okta organization URL. Example: "https://mycompany.okta.com/"

   • Provide the Client ID. This is the client ID that was created in Okta.

   • Provide the Client secret.
     

     Image Removed
   Include Page

   • 
     

     Image Added

     
     

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the device is terminated after the profile is applied. The login screen is displayed.
   You can now use the apps and utilities for IGEL OS 12 that support SSO with Okta.
   If you want to use multi-factor authentication, you can configure this in the Okta console. The available methods are Google Authenticator, E-Mail, and Okta Verify.

Setting up SSO with Ping Identity / PingOne

...

1. Log in to your PingIdentity account, go to Applications, and click the add symbol to create a new application.

   Image RemovedImage Added

2. Provide an Application Name, select Native as the Application Type, and click Save.

...

2. Image Added

3. Select the Configuration tab and click the edit button.

...

3. Image Added

4. Edit the configuration as described below and click Save.

   • Response Type: Select Code.

   • Grant Type: Select Authorization Code and set PKCE Enforcement to S256_REQUIRED.

   • Redirect URIs: Enter http://localhost/callback

   • Token Endpoint Authentication Methods: Select Client Secret Post.
     

...

4. • Image Added

5. Select the Resources tab and click the edit button.
   

...

5. Image Added

6. Ensure that the following resource scopes are activated and click Save.

   • email

   • openid

   • profile
     

...

6. • Image Added

7. Review the list of ALLOWED SCOPES.
   

...

7. Image Added

8. Select the Configuration tab and copy the following data for later use:

   • Client ID

   • Client Secret

...

7. • Image Added

9. Expand the list of URLs and copy the Issuer URL for later use.

...

9. Image Added

10. Activate your application.

...

9. Image Added

Configuring IGEL OS for SSO with Ping Identity / PingOne

1. Go to Security > Logon > Single Sign-On and edit the settings as follows:

   IGELOS12BSDOCP:_SSO AutologinIGELOS12BSDOCP:_SSO Autologin

   • Enable Single Sign-On with Identity Provider.

   • Set Identity Provider to Ping Identity | PingOne.

   • Provide the PingOne issuer URL for your user. This is the Issuer URL provided in the Ping Identity configuration portal. Example: https://auth.pingone.eu/0815abc-xyz123456/as

   • Provide the Client ID. This is the client ID that was created in Ping Identity.

   • Provide the Client secret.
     

     Image Removed
   Include Page

   • 
     

     Image Added

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the device is terminated after the profile is applied. The login screen is displayed.
   You can now use the apps and utilities for IGEL OS 12 that support SSO with Ping Identity / PingOne.
   If you want to use multi-factor authentication, you can configure this in the Ping Identity console.

Setting up SSO with VMware Workspace ONE Access

...

1. In the VMware Workspace ONE Access console, go to Settings > OAuth 2.0 Management and click Add client.Image Removed

   Image Added

2. Set up the client as follows and finally click Save.

   • Access type: Select User Access Token.

   • Client type: Select Confidential.

   • Client ID: Enter a client ID that suits your needs; respect the allowed characters. Example: IGEL_OS_SSO

   • Grant type: Enable Authorization Code Grant. 

   • Redirect URI: Enter http://localhost/callback

   • User grant: Disable Prompt users for scope acceptance.

   • Scope: Edit the settings as follows:

     • Email: Enabled

     • Profile: Enabled

     • User: Disabled

     • NAPPS: Disabled

     • OpenID: Enabled

     • Group: Disabled

     • Admin: Disabled

   • PKCE support: This option is enabled because Authorization Code Grant is selected as the Grant type.

   • Issue refresh token: Enable or disable this option according to your needs.

   • Access token TTL: Adjust the time to live for the authorization token according to your needs.

   • Idle token TTL: Adjust the time to live for the idle token according to your needs.
     

...

2. • Image Added

3. Review the settings and copy the following data for later use:

   • Client ID

   • Shared Secret
     

...

3. • Image Added

Configuring IGEL OS for SSO with VMware Workspace ONE Access

1. Go to Security > Logon > Single Sign-On and edit the settings as follows:

   IGELOS12BSDOCP:_SSO AutologinIGELOS12BSDOCP:_SSO Autologin

   • Enable Single Sign-On with Identity Provider.

   • Set Identity Provider to VMware Workspace ONE Access.

   • Provide the Workspace ONE Access issuer URL for your user. Pattern: https://<YOUR WORKSPACE ONE ACCESS URL>/SAAS/auth

   • Provide the Client ID. This is the client ID that was created in VMware Workspace ONE Access.

   • Provide the Client secret.
     

     Image Removed
   Include Page

   • 
     

     Image Added

     
     

2. If you want to use an automatic desktop login with predefined credentials that are stored securely on your endpoint device:

   • Enable Automatically perform login.

   • Under Username for autologin, enter a user's name known to your IdP.

   • Under Password for autologin, enter the enter the corresponding password.

3. Click Save or Save and close.
   The desktop of the device is terminated after the profile is applied. The login screen is displayed.
   You can now use the apps and utilities for IGEL OS 12 that Support SSO with VMware Workspace ONE Access.
   If you want to use multi-factor authentication, you can configure this in the VMware Workspace ONE Access portal.

Configuring SSO with Other IdPs That Use OpenID Connect

...

In your IdP console, edit the parameters as follows (the exact parameter names will probably deviate):

Configuring IGEL OS for SSO with Generic OpenID Connect

1. Go to Security > Logon > Single Sign-On and edit the settings as follows:

   • Enable Single Sign-On with Identity Provider.

   • Set Identity Provider to OpenID Connect.

   • Provide the Issuer URL for your user. This is the Issuer URL provided in the IdP console. Example for Keycloak: https://keycloak.yourcompany.com/realms/yourrealm

   • Provide the Client ID. This is the client ID that was created in the IdP console.

   • Provide the Client secret.
     

     Image RemovedImage Added

2. Click Save or Save and close.
   The desktop of the device is terminated. The login screen is displayed.
   You can now use the apps and utilities for IGEL OS 12 that support SSO with OpenID Connect (generic).
   For details on importing apps from the IGEL App Portal and installing them on IGEL OS devices, see /wiki/spaces/HTSWICPHTSWIP/pages/83886925 and /wiki/spaces/HTSWICP/pages/83886925126847255 .
   For supported multi-factor authentication methods, check the documentation of your IdP.

...

1. Open the profile configurator and go to Security > Logon > Local user.

2. Activate Login with local user password and enter a password.
   

...

2. Image Added