Custom Application
This instruction explains how to create and configure an OpenID Connect application and get started with Specops Single Sign-On authentication.
Configuration
These are the main configuration steps:
- Configure a Group Policy Object
- Create an OpenID Connect application for Single Sign-On
Configure a Group Policy Object
Follow these steps only if you select Group Policy or Both as the policy mode when creating the OpenID Connect application.
- In the Group Policy Management Console, create a Group Policy Object (GPO).
- Link the GPO to some container with users that should be able to access the organization's application.
- In the Gatekeeper Admin Tool, click Single Sign-on.
- Click Tag GPOs, select the GPO that should be available to use when configuring an OpenID Connect application in Specops Authentication, and click OK.
Create an OpenID Connect application for Single Sign-On
- Log in as admin to the Specops Authentication Web.
- Click Single Sign-On.
- Click Add new.
- Select Application Type: Custom.
- Under General Settings, type an application name and optionally a description for the application.
- If the relying party expects a signed JWT from the user info endpoint, select Sign user info. If not selected, the user info endpoint will return JSON.
- Under Redirect URL's, add URLs that should be allowed for redirection during authentication and logout. These should be provided by the relying party. It is optional to add them now, but at least one URL will be needed for authentication to work.
- In Standard Claim Mapping, add claims that should be sent to the relying party during authentication.
- Claim: Select a name from the list of predefined names or select Custom... to enter a custom name.
- AD Attribute or Custom Value: Select a value from the list of Active Directory attributes or select Custom... to enter a custom name. If an AD attribute is selected, the claim will be populated from the user during authentication. If Custom is selected, a fixed value is used.
- Click Save and Continue.
- Select a Policy mode from the list.
- If you selected Group Policy or Both as policy mode, choose one or more GPOs from the Group Policy Objects list, and click Add.
- Click Edit Authentication Rules next to the added GPO. Configure your desired authentication rules and click Save.
- If you selected Cloud or Both as policy mode, click Configure and add the identity services that you want to include.
- Click I'm done.
-
The Application Credentials page contains credentials and URLs that may be needed when configuring Specops Authentication as an identity provider at the relying party. Copy the Client Secret and ensure you save it for later use. Click Continue.
Note
The client secret is shown only once and cannot be viewed or copied again after leaving this page.