It is great that Indicium and Universal GUI now support SSO based on the Open ID protocol. In our case we'll use Azure AD as Identity Provider and wish to enable SSO with Universal. Since Universal GUI 2021.1.15 we can enjoy the beauty of SSO, PWA ánd Seamless SSO. The Seamless SSO is how we want to have it working for our end users, as there is no added value in having to click through multiple screens in 99% of the cases. This means that we have to set loginOptionsHidden or loginOptionsDisabled to true in the config.json of Universal GUI and set a DefaultIdentityProvider in Indicium appsettings.json.
However, the current solution is a bit too rigid, as there is no way to circumvent the said Seamless SSO, except for changing the Indicium setting and redeploying Indicium. There are multiple scenario's for which this rigidness is unwanted:
-
If we wish to enable multiple Open ID providers, but still wish to make it as Seamless as possible for each individual user
-
If 1 of our foreign offices does not have Azure AD or if a user is not added as a Guest User in our tenant, we might want to give those users an IAM account
-
If we plan to create customer portals: same as with first bullet
-
If Azure AD is down for some unexpected reason, then we want to be able to get into our application using an IAM admin account as backup
-
If (like we do on TEST now) we want to test with dummy users who reference a User Group, we want to create those users in IAM and not in Azure AD. For all regular users (especially with admin rights) in TEST we would like to enforce Azure AD SSO + MFA though.
Now what we like best as a solution would be something client-side, which could be removed when clearing cache (ideally it would not be removed for every Universal GUI upgrade we get though). Given the above examples I don’t think it is ever going to be very useful to have the DefaultIdentityProvider setting in appsettings.json. How about adding a ‘Remember my choice’ checkbox on the Indicium login screen which value is stored in the cache?
This provides all the benefits we’re looking for:
-
In case of enabling multiple Open ID providers, a default can be selected by the user, enabling Seamless login the next time they login
-
For non-Open ID users they can simply use the IAM login and perhaps also use Stay signed in + Remember my choice checkboxes to reduce the login steps
-
It provides a way to get into Thinkwise in case the Open ID provider is not available (either through Clear cache or through Incognito browser)
-
It will always and easily allow us to circumvent SSO default when testing in an Incognito browser tab
An alternative would be to have a second login screen on Indicium with its own URL that is not impacted by the SSO settings, but it’s less convenient than above solution. There could be other alternatives, and we’ll leave the choice up to you. But something is needed here.
We recognize the need for a different kind of SSO flow when it comes to scenarios where both an external identity providers are used and the non-external, ‘regular’ IAM-managed identities are used.
The plan is as following:
When there are multiple identity providers available (either external and/or IAM-managed), an unauthenticated user will be given a choice between the various identity providers.
E.g.
[Login with Azure AD]
[Login with Google]
[Login with Username]
A remember-me-choice setting will allow the unauthenticated user to remember their desired identity provider for the future, effectively creating their device-specific default identity provider.
While introducing this, we’ll get rid of the DefaultIdentityProvider setting. We’ll replace this with a setting in Indicium to instead toggle support for IAM as available identity provider in the login screen. When disabled, users will only be able to choose from the external identity providers. Login with Username will no longer be an available option.
If there is only one identity provider, this identity provider will act as the default identity provider - no user choice will be given. This restores the functionality of DefaultIdentityProvider in scenarios where there is only a single external identity provider and IAM logins are not made available to the user.
Naturally, having no external identity providers configured will also automatically direct the user to the only remaining identity provider, the username/password based login. If not a single identity provider is available, no logins will be possible via the login UI.
Note that this will only affect the browser-based login UI. Direct authentication or bearer authentication may still be used for IAM-managed identities, for instance for API consumers.
Works like a charm with Indicium 2021.2.12!