The Axinom Mosaic platform includes the Identity Service that allows the editors to log in and do their job. Learn how to configure the identity providers in the Management System.

Configure Identity Providers

The Management System uses the Mosaic Identity Service to enable editors to log in and perform their editorial work. The Identity Service supports a range of OAuth 2.0 Identity Providers. Each of them can be configured and enabled so they could be available as a login option in the Management System.

This configuration needs to be performed in the Mosaic Administration Portal by an Administrator of the respective Tenant.

Enabling Google IDP

Pre-Requisites

You first need to register a Google OAuth 2.0 client and obtain the credentials for it. You can do it directly in the Google Cloud Console. The steps are included in Google documentation.

It’s important to configure the correct Authorized Redirect URIs as they need to be whitelisted to receive the Authorization Code from the Identity Provider. See below for the Redirect URIs that must be allowed for the Identity Service to function correctly.

Configuration

To configure Google IDP, follow the steps below:

  1. Log in to the Mosaic Administration Portal.

  2. Locate the environment you would like to configure.

  3. Navigate to the Google IDP configuration station within the Identity Service Configuration.

  4. Paste the Client ID and Client Secret values of the Google OAuth 2.0 client created previously and change the IDP Status to Enabled. You can use the status field in the future to temporarily disable the IDP without losing the already saved information.

  5. Once this is saved, refresh the Management System to start using the newly configured Identity Provider.

configure google idp

Enabling AzureAD IDP

Pre-Requisites

You first need to register a Microsoft AzureAD Application and obtain the credentials for it. You can do it directly in the Azure Portal. The steps you then need to take are included in Microsoft Azure documentation.

It’s important to configure the correct Redirect URIs as they need to be whitelisted to receive the Authorization Code from the Identity Provider. When choosing the platform to configure the Redirect URIs, the Web platform must be chosen on Azure. See below for the Redirect URIs that must be allowed for the Identity Service to function correctly.

It is also possible to control which users and groups are allowed to log in using the AzureAD Identity Provider. You should configure this in the Azure Portal. The steps are included in Microsoft Azure documentation.

Configuration

To configure AzureAD IDP:

  1. Log in to the Mosaic Administration Portal.

  2. Locate the environment you would like to configure.

  3. Navigate to the AzureAD IDP configuration station within the Identity Service Configuration.

  4. Paste the Client ID and Client Secret values of the Azure Application created previously.

  5. The value for the Azure Tenant can be set depending on the mode of authentication you desire as listed in the table below (the table is extracted from Microsoft documentation).

    Azure Tenant Description

    common

    Users with both a personal Microsoft account and a work or school account from Azure AD can sign in to the application.

    organizations

    Only users with work or school accounts from Azure AD can sign in to the application.

    consumers

    Only users with a personal Microsoft account can sign in to the application.

    8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.com

    Only users from a specific Azure AD tenant (whether they are members in the directory with a work or school account, or they are guests in the directory with a personal Microsoft account) can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant’s GUID identifier can be used. You can also use the consumer tenant, 9188040d-6c67-4c5b-b112-36a304b66dad, in place of the consumers tenant.

  6. Finally, change the IDP Status to Enabled. You can use the status field in the future to temporarily disable the IDP without losing the already saved information.

  7. Once this is saved, refresh the Management System to start using the newly configured Identity Provider.

    configure azuread idp

Redirect URIs to be Allowed

The following redirect URIs must be whitelisted by the Identity Provider for the OAuth 2.0 Authorization Code flow to work correctly. Please consult the documentation of the respective Identity Provider to see how they can be configured.

See also: