Skip to content

OpenID Connect

OpenID Connect (OIDC) is an open standard security protocol that delegates authentication to a third-party identity provider.

To use OpenID Connect, configure the OpenID Connect provider, and then configure OpenID Connect in MSS.

Support

OIDC is supported in

  • Reflection Desktop (configured for centralized management)
  • Host Access for the Cloud (HACloud)
  • MSS Administrative Console
  • the Assigned Sessions List, which can launch Reflection Desktop, HACloud, and Reflection for the Web

Configuring the OpenID Connect Provider

  1. Create a new application.

  2. Enter https://<Cluster DNS value>/osp/a/hc/auth/app/contractcontinue as the Callback URL.

  3. Select the openid, profile, and email scopes.

  4. Save the application.

Configuring OpenID Connect in MSS

  1. First, enable OAuth.

  2. Log into the MSS Administrative Console.

  3. Click Configure Settings - Trusted Certificates.

  4. Click Management and Security Server as the Certificate Store.

  5. Import the OIDC Provider certificate.

  6. Then, click Configure Settings - Authentication & Authorization.

  7. Click OpenID Connect as the Authentication Method.

  8. If you prefer to use LDAP for the Authorization method instead of allowing all authenticated uses to access all published sessions, see Using LDAP as the Authorization method.

  9. Enter the Provider URL.

  10. Enter the Client ID.

  11. Enter the Client Secret.

  12. The default Source attribute is email, but you can set it to preferred_username to identify the user by username instead of email address.

Using LDAP as the Authorization method

  1. Under Authorization method, click Use LDAP to restrict access to sessions.

  2. Add a LDAP server configuration. For descriptions of each setting, see LDAP Configuration.

    • Server Type:
    • Server name:
    • Server port:
    • Username:
    • Password:
    • Directory search base:

  3. Enter a Target attribute. This attribute value must match the Source attribute entry (step 12 above).
    For instance, if email is used as source, then an LDAP attribute with email must be used here (Example: email). Or if preferred_username is used as the source, then an LDAP attribute with the username must be used here (Example: uid).

  4. Click Apply, and wait for the auth service to restart.

  5. Continue with configuring OpenID Connect, step 9 above.