Authentication dialog box

Right-click a dataset and click Properties, then click the Options tab to see this dialog box.

• Enable Integrated Windows Authentication (Active Directory) - Enables client authentication using Active Directory. Clients will authenticate using their Windows logon credentials. Passwords are not required. Requires both client and server to be on the same domain.

• Enable Explicit Windows Authentication - Enabled client authentication, using an explicit username/password combination. Client does not need to be on the same domain as the server.

• Enable OpenID Connect authentication - select this option to enable client authentication using OpenID Connect. OpenID Connect is an authentication and identity protocol based on OAuth 2.0, and provides interoperability with identity providers such as Active Directory Federated Services, Azure, Google Apps, and Okta.

• OpenID Issuer URL – OpenID issuer URL provided by the identity provider. An example would be: https://<adfs_server_here>/adfs
• Client ID - provided by the identity provider when registering Content Manager as an OAuth 2.0 client.
• Set Client Secret - provided by the identity provider when registering Content Manager as an OAuth 2.0 client. For some identity providers such as AD FS, this may be left unspecified.
• Client Scope - configured in the identity provider, for the Content Manager OAuth 2.0 client. Specifies the desired scope of the authentication. An example would be "openid email". See Examples of OpenID authentication configurations for additional examples.
• Identity Claim - the identity token Content Manager receives from an authentication provider, contains a number of claims specific to the user that is logging on. The claims that are present in the token depend on how the authentication provider is configured, and which scopes Content Manager has requested (see Client App Scope). The Identity Claim field allows the administrator to specify which claim in the token should be used to identify the Content Manager user that is logging on. The default behavior is to look for an "email" claim.

• Redirect URI - should always be "https://127.0.0.1".

  NOTE: The redirect URI for OpenID Connect authentication has changed from urn:ietf:wg:oauth:2.0:oob to https://127.0.0.1. When you register an APP in Azure, AD FS, M365, Google, or Okta etc, make sure to include the Redirect URI as https://127.0.0.1. Otherwise, Content Manager users will not be able to log in using OpenID Connect.

• Test Authentication - click to test the authentication is successful.

• OpenID Connect Confidential Clients OpenID confidential clients provide a mechanism for non-interactive server-side processes to authenticate themselves. Confidential client authentication is exposed in Content Manager through the Content Manager SDK. For more information, see the documentation for the TRIM.SDK.Database.SetAuthenticationCredentials() method, https://content-manager-sdk.github.io/Community/

• Add – add a new confidential client. A Client ID and Scope value must be entered, as configured on the identity provider.

• Remove – remove a confidential client.

• Test – test a confidential client.

A Client Secret value must be entered, and authentication of the confidential client is then attempted.