Technical Guide

Beginning in Launcher 3.x, the configurations for the authentication providers have been moved out of the settings object into their own separate objects under the root configuration. If you are using Launcher 3.x, the following should be used when configuring the authentication providers:

LDAP

Example:

...
"auth_ldap": {
    "hostname" : "ldapserver.bluefletch.com",
    "port" : 636,
    "domain" : "@BLUEFLETCH",
    "rootDN" : "DC=BLUEFLETCH,DC=com",
    "useHttps" : true
}
...

Auth4 LDAP

Auth version 4 LDAP supports all original LDAP key-value pairs, and beginning in Auth version 4.7.14 additional attributes can be added to the base configuration.

Optional: LDAP Connections Array

Beginning in Auth - LDAP version 4.7.14, LDAP supports listing multiple LDAP domain/connection point objects, using the same key-values listed above, within an auth_ldap_connections array. This will give several authentication options in case one service is unavailable. The authentication module will attempt each service until it successfully logs a user in with the provided credentials.

Auth4 LDAP Example (including optional auth_ldap_connections):

...
"auth_ldap": {
    "hostname": "ldapserver.bluefletch.com",
    "port": 636,
    "domain": "@BLUEFLETCH",
    "rootDN": "DC=BLUEFLETCH,DC=com",
    "useHttps": true,
    "auth_default_group": "Associates",
    "keyAlias": "aliasNameForKey",
    "generateToken": true,
    "claimsMap": "sam=sAMAccountName,cname=cn,upn=userPrincipalName,memberof=memberOf,dn=distinguishedName"
},
"auth_ldap_connections" : [
    {
        "hostname": "ldapserver.mnl.bluefletch.com",
        "port": 389,
        "domain": "@MNL",
        "rootDN": "DC=BLUEFLETCH,DC=com",
        "useHttps": false
    },
    {
        "hostname": "ldapserver.atl.bluefletch.com",
        "port": 636,
        "domain": "@ATL",
        "rootDN": "DC=BLUEFLETCH,DC=com",
        "useHttps": true
    } 
]
...

Okta/OneLogin (PKCE flow)

The following fields will still need to be configured under the settings object when using the Okta Auth Provider:

Example:

...
"auth_okta": {
    "issuer_uri" : "https://dev.oktapreview.com",
    "client_id" : "0o5o9hn89wN4AAhhJ0h7",
    "redirect_uri" : "com.bluefletch.launcher:/callback",
    "scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
},
"settings" : {
    ...
    "auth_default_group" : "Associates",
    "auth_group_field" : "title",
    "auth_group_regex" : "(?i)leader$",
    "auth_group_regex_true" : "Managers",
    "auth_location_field" : "custom_fields.deptnum",
    "auth_location_regex" : "(\\d+)",
    ...
}
...

Beginning in Auth 4.x, Okta authentication will be configured with the auth_oauth2 object instead of the auth_okta object, as in this example:

"auth_oauth2": {
        "issuer_url": "https://dev.oktapreview.com",
        "client_id": "0o5o9hn89wN4AAhhJ0h7",
        "redirect_url": "com.bluefletch.ems.auth://callback",
        "browser": "com.bluefletch.ems.browser",
        "scopes": "openid profile offline_access groups",
        "logout_redirect": "com.bluefletch.ems.auth://logout"
    },

Please note the following changes: * the issuer_uri and redirect_uri have been renamed to issuer_url and redirect_url. * new redirect URLs have been introduced for compatibility with other OIDC providers: * com.bluefletch.ems.auth://callback * com.bluefletch.ems.auth://logout

For more information on the properties for configuring, see the AppAuth/OIDC IDP section.

Okta (Session)

Beginning in Auth 4.6.1, a REST session flow is supported for authentication through Okta using the auth_oauth2 object and the OKTAREST Auth binary.

Example:

...
"auth_oauth2": {
    "host_url": "https://dev.oktapreview.com",
    "client_id": "0o5o9hn89wN4AAhhJ0h7",
    "redirect_url": "com.bluefletch.ems.auth://callback",
    "scopes": "openid email profile offline_access groups",
    "logout_redirect": "com.bluefletch.ems.auth://logout",
    "mfaVerifyIntervalWait": 5,
    "mfaVerifyAttempts": 7
}
...

AppAuth/OIDC IdP

Beginning in Auth 4.x, the AppAuth/Generic OAuth2 configuration will support login through the BlueFletch Browser, as well as Chrome Custom Tabs. The authenticating browser is defined by the browser value.

Example:

...
  "auth_oauth2": {
    "client_id": "com.bluefletch.ems.auth",
    "redirect_url": "com.bluefletch.launcher:/callback",
    "baseUrl": "https://oauth2server.bluefletch.com",
    "authorize_url": "https://oauth2server.bluefletch.com/oauth2/authorize",
    "token_url": "https://oauth2server.bluefletch.com/oauth2/token",
    "userinfo_url": "https://oauth2server.bluefletch.com/oauth2/userinfo",
    "logout_url": "https://oauth2server.bluefletch.com/oauth2/logout",
    "scopes": "openid profile offline_access groups",
    "claim_userId": "upn",
    "claim_username": "commonname",
    "claim_groups": "memberof",
    "browser": "com.bluefletch.ems.browser"
}
...

OIDC-Azure

Beginning in Auth 4.3.x, the auth_oauth2 object can be applied to Azure AD authentication when using the OIDC-Azure Auth binary.

Example:

...
"auth_oauth2": {
    "client_id": "01cceca8-d87b-11ec-9d64-0242ac120002",
    "redirect_url": "msauth://com.bluefletch.ems.auth/K8s43sSfptA3T2LoAlTd9XEfKQg=",
    "baseUrl": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002",
    "authorize_url": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002/oauth2/authorize",
    "token_url": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002/oauth2/token",
    "scopes": "openid profile email User.Read GroupMember.Read.All https://graph.microsoft.com",
    "resource" : "https://graph.microsoft.com",
    "userinfo_url": "https://graph.microsoft.com/v1.0/me/memberOf",
    "claim_userId": "upn",
    "claim_username": "name",
    "claim_groups": "memberOf"
}
...

MSAL for Azure AD

BlueFletch continues to support the following configuration settings for the Auth version 3.x.x binaries of the MSAL module. See Auth4 MSAL below for configuration settings supported in Auth version 4.5.9 and above.

Auth3 Example:

...
"auth_msal" : {
    "client_id": "<client_id during registration>",
    "authorization_user_agent": "DEFAULT",
    "redirect_uri": "msauth://com.bluefletch.ems.auth.msal/KUKEusfKtqAOu9UB6jgjtTMKYas=",
    "authority_type": "AAD",
    "authority_url": "https://login.microsoftonline.com/<tenant_id>",
    "tenant_id": "<tenant_id>",
    "logout_url": "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
    "limit_to_launcher_groups": true
}
...

Auth4 MSAL

Beginning in Auth version 4.5.9, some of the MSAL configuration settings change to more fully support new developments from Microsoft.

Auth4 Example:

...
"auth_msal" : {
    "client_id": "<client_id during registration>",
    "authorization_user_agent" : "DEFAULT",
    "redirect_uri": "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D",
    "authority_type": "AAD",
    "authority_url": "https://login.microsoftonline.com/<audience_tenant_id>",
    "audience_tenant_id" : "<audience_tenant_id>",
    "logout_url": "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
    "limit_to_launcher_groups": true,
    "scopes": "openid email profile User.Read GroupMember.Read.All",
    "shared_device_mode_supported": true,
    "broker_redirect_uri_registered": true,
    "limit_groups_to_direct_membership": true
}
...

For more information on configuring, see the AppAuth/OIDC IdP section.

ADFS 3.0/2012 Using ADAL library

Example:

...
"auth_adal" : {
    "baseUrl" : "https://adfs2012.bluefletch.com",
    "authority" : "https://adfs2012.bluefletch.com/adfs/oauth2",
    "clientId" : "com.bluefletch.ems.auth",
    "resourceId" : "com.bluefletch.ems.auth",
    "redirectUri" : "com.bluefletch.launcher:/callback",
    "defaultDomain" : "BLUEFLETCH\\",
    "claim_userId" : "upn",
    "claim_username" : "commonname",
    "claim_groups" : "MemberOf"
}
...

Okta (Resource Owner Flow)

Example:

...
"auth_oktaRest": {
    "issuer_uri" : "https://dev.oktapreview.com",
    "client_id" : "0o5o9hn89wN4AAhhJ0h7",
    "client_secret" : "A8300hhnadf84993225160kjfdB",
    "redirect_uri" : "com.bluefletch.launcher:/callback",
    "scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
}
...

Last updated