Beginning in Launcher 3.x, the configurations for the authentication providers have been moved out of the settings
object into their own separate objects under the root configuration. If you are using Launcher 3.x, the following should be used when configuring the authentication providers:
LDAP
Example:
Copy ...
"auth_ldap": {
"hostname" : "ldapserver.bluefletch.com",
"port" : 636,
"domain" : "@BLUEFLETCH",
"rootDN" : "DC=BLUEFLETCH,DC=com",
"useHttps" : true
}
...
Auth4 LDAP
Auth version 4 LDAP supports all original LDAP key-value pairs, and beginning in Auth version 4.7.14 additional attributes can be added to the base configuration.
Optional: LDAP Connections Array
Beginning in Auth - LDAP version 4.7.14, LDAP supports listing multiple LDAP domain/connection point objects, using the same key-values listed above, within an auth_ldap_connections
array. This will give several authentication options in case one service is unavailable. The authentication module will attempt each service until it successfully logs a user in with the provided credentials.
Auth4 LDAP Example (including optional auth_ldap_connections
):
Copy ...
"auth_ldap": {
"hostname": "ldapserver.bluefletch.com",
"port": 636,
"domain": "@BLUEFLETCH",
"rootDN": "DC=BLUEFLETCH,DC=com",
"useHttps": true,
"auth_default_group": "Associates",
"keyAlias": "aliasNameForKey",
"generateToken": true,
"claimsMap": "sam=sAMAccountName,cname=cn,upn=userPrincipalName,memberof=memberOf,dn=distinguishedName"
},
"auth_ldap_connections" : [
{
"hostname": "ldapserver.mnl.bluefletch.com",
"port": 389,
"domain": "@MNL",
"rootDN": "DC=BLUEFLETCH,DC=com",
"useHttps": false
},
{
"hostname": "ldapserver.atl.bluefletch.com",
"port": 636,
"domain": "@ATL",
"rootDN": "DC=BLUEFLETCH,DC=com",
"useHttps": true
}
]
...
Okta/OneLogin (PKCE flow)
The following fields will still need to be configured under the settings
object when using the Okta Auth Provider:
Example:
Copy ...
"auth_okta": {
"issuer_uri" : "https://dev.oktapreview.com",
"client_id" : "0o5o9hn89wN4AAhhJ0h7",
"redirect_uri" : "com.bluefletch.launcher:/callback",
"scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
},
"settings" : {
...
"auth_default_group" : "Associates",
"auth_group_field" : "title",
"auth_group_regex" : "(?i)leader$",
"auth_group_regex_true" : "Managers",
"auth_location_field" : "custom_fields.deptnum",
"auth_location_regex" : "(\\d+)",
...
}
...
Beginning in Auth 4.x, Okta authentication will be configured with the auth_oauth2
object instead of the auth_okta
object, as in this example:
Copy "auth_oauth2": {
"issuer_url": "https://dev.oktapreview.com",
"client_id": "0o5o9hn89wN4AAhhJ0h7",
"redirect_url": "com.bluefletch.ems.auth://callback",
"browser": "com.bluefletch.ems.browser",
"scopes": "openid profile offline_access groups",
"logout_redirect": "com.bluefletch.ems.auth://logout"
},
Please note the following changes:
* the issuer_uri
and redirect_uri
have been renamed to issuer_url
and redirect_url
. * new redirect URLs have been introduced for compatibility with other OIDC providers: * com.bluefletch.ems.auth://callback
* com.bluefletch.ems.auth://logout
For more information on the properties for configuring, see the AppAuth/OIDC IDP section.
Okta (Session)
Beginning in Auth 4.6.1, a REST session flow is supported for authentication through Okta using the auth_oauth2
object and the OKTAREST Auth binary.
Example:
Copy ...
"auth_oauth2": {
"host_url": "https://dev.oktapreview.com",
"client_id": "0o5o9hn89wN4AAhhJ0h7",
"redirect_url": "com.bluefletch.ems.auth://callback",
"scopes": "openid email profile offline_access groups",
"logout_redirect": "com.bluefletch.ems.auth://logout",
"mfaVerifyIntervalWait": 5,
"mfaVerifyAttempts": 7
}
...
AppAuth/OIDC IdP
Beginning in Auth 4.x, the AppAuth/Generic OAuth2 configuration will support login through the BlueFletch Browser , as well as Chrome Custom Tabs. The authenticating browser is defined by the browser
value.
Example:
Copy ...
"auth_oauth2": {
"client_id": "com.bluefletch.ems.auth",
"redirect_url": "com.bluefletch.launcher:/callback",
"baseUrl": "https://oauth2server.bluefletch.com",
"authorize_url": "https://oauth2server.bluefletch.com/oauth2/authorize",
"token_url": "https://oauth2server.bluefletch.com/oauth2/token",
"userinfo_url": "https://oauth2server.bluefletch.com/oauth2/userinfo",
"logout_url": "https://oauth2server.bluefletch.com/oauth2/logout",
"scopes": "openid profile offline_access groups",
"claim_userId": "upn",
"claim_username": "commonname",
"claim_groups": "memberof",
"browser": "com.bluefletch.ems.browser"
}
...
OIDC-Azure
Beginning in Auth 4.3.x, the auth_oauth2
object can be applied to Azure AD authentication when using the OIDC-Azure Auth binary.
Example:
Copy ...
"auth_oauth2": {
"client_id": "01cceca8-d87b-11ec-9d64-0242ac120002",
"redirect_url": "msauth://com.bluefletch.ems.auth/K8s43sSfptA3T2LoAlTd9XEfKQg=",
"baseUrl": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002",
"authorize_url": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002/oauth2/authorize",
"token_url": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002/oauth2/token",
"scopes": "openid profile email User.Read GroupMember.Read.All https://graph.microsoft.com",
"resource" : "https://graph.microsoft.com",
"userinfo_url": "https://graph.microsoft.com/v1.0/me/memberOf",
"claim_userId": "upn",
"claim_username": "name",
"claim_groups": "memberOf"
}
...
MSAL for Azure AD
BlueFletch continues to support the following configuration settings for the Auth version 3.x.x binaries of the MSAL module. See Auth4 MSAL below for configuration settings supported in Auth version 4.5.9 and above.
Auth3 Example:
Copy ...
"auth_msal" : {
"client_id": "<client_id during registration>",
"authorization_user_agent": "DEFAULT",
"redirect_uri": "msauth://com.bluefletch.ems.auth.msal/KUKEusfKtqAOu9UB6jgjtTMKYas=",
"authority_type": "AAD",
"authority_url": "https://login.microsoftonline.com/<tenant_id>",
"tenant_id": "<tenant_id>",
"logout_url": "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
"limit_to_launcher_groups": true
}
...
Auth4 MSAL
Beginning in Auth version 4.5.9, some of the MSAL configuration settings change to more fully support new developments from Microsoft.
Auth4 Example:
Copy ...
"auth_msal" : {
"client_id": "<client_id during registration>",
"authorization_user_agent" : "DEFAULT",
"redirect_uri": "msauth://com.bluefletch.ems.auth/KUKEusfKtqAOu9UB6jgjtTMKYas%3D",
"authority_type": "AAD",
"authority_url": "https://login.microsoftonline.com/<audience_tenant_id>",
"audience_tenant_id" : "<audience_tenant_id>",
"logout_url": "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
"limit_to_launcher_groups": true,
"scopes": "openid email profile User.Read GroupMember.Read.All",
"shared_device_mode_supported": true,
"broker_redirect_uri_registered": true,
"limit_groups_to_direct_membership": true
}
...
For more information on configuring, see the AppAuth/OIDC IdP section.
ADFS 3.0/2012 Using ADAL library
Example:
Copy ...
"auth_adal" : {
"baseUrl" : "https://adfs2012.bluefletch.com",
"authority" : "https://adfs2012.bluefletch.com/adfs/oauth2",
"clientId" : "com.bluefletch.ems.auth",
"resourceId" : "com.bluefletch.ems.auth",
"redirectUri" : "com.bluefletch.launcher:/callback",
"defaultDomain" : "BLUEFLETCH\\",
"claim_userId" : "upn",
"claim_username" : "commonname",
"claim_groups" : "MemberOf"
}
...
Okta (Resource Owner Flow)
Example:
Copy ...
"auth_oktaRest": {
"issuer_uri" : "https://dev.oktapreview.com",
"client_id" : "0o5o9hn89wN4AAhhJ0h7",
"client_secret" : "A8300hhnadf84993225160kjfdB",
"redirect_uri" : "com.bluefletch.launcher:/callback",
"scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
}
...