AgileAssets supports using OpenID protocol to conduct Single Sign-On (SSO). This topic explains how to setup OpenID with TrimbleID as Identity Provider (IdP). For other IdPs, the process will be similar.

Note:

  1. Setting up OpenID requires System Admin access on application server, and write access to Tomcat folder.
  2. The following guide uses https://quappv21.agileassets.com/ams-web as an example AMS application. Update this URL accordingly when configuring a real-world instance.

Click to jump to a section:

IdP Configuration

Ask client's IdP Admin to register the AMS application in IdP, and provide with AgileAssets System Admin these OpenID parameters:

Field

CommentsExample
Base URLThis is the base URL of the Identity Providerhttps://stage.id.trimblecloud.com
Application Name/ScopeThis is the AMS application name (or scope) assigned in the IdpAgileAssets AMS

Client ID

This is the AMS application ID assigned by the Idpabc-def-ghi-jkl-mno

Client Secrete

This is the client secrete assigned by the IDP[Redacted]

OAuth Authorization Endpoint

OpenID Authorization End point
/oauth/authorize
OAuth Token EndpointOpenID Token End point
/oauth/token
OAuth User Info EndpointOpenID User information End point
/oauth/userinfo
Note: Currently, the 3 endpoint URLs used in OpenID configuration must be in relative to the Base URL.


Idp configuration will also need a Redirect URL (or Call Back URL) from AMS. The URL is the application URL appended with /sso at the end. In this example, it will be https://quappv21.agileassets.com/ams-web/sso

AMS Configuration

Encrypt Client Secret

Use the ams-encrypter.jar included the deployment package to encrypt the Client Secret. For example, run this command from the package:

java -jar target\ams-encrypter-7.7.5.0-SNAPSHOT.jar 

Follow the prompt and enter the original Client Secret, and obtain the Encrypted Client Secret. It should be a string that starts with @aaEncrypted@, for example,  @aaEncrypted@ABCEDFG

Web.xml

Make the following changes in AMS's web.xml file under Tomcat application folder. Note this section in web.xml file is by default commented out. Make sure to un-comment this section.

web.xml
  <servlet>
      <servlet-name>SsoServlet</servlet-name>
      <servlet-class>com.agileassetsinc.core.servlet.SsoServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
  </servlet>
 
  <servlet-mapping>
      <servlet-name>SsoServlet</servlet-name>
      <url-pattern>/sso</url-pattern>
  </servlet-mapping>
 
  <filter>
      <filter-name>OpenIdSSOFilter</filter-name>
      <filter-class>com.agileassetsinc.core.OpenidSsoFilter</filter-class>
      <init-param>
          <param-name>openIdBaseUrl</param-name>
           <param-value>Base URL (eg: https://stage.id.trimblecloud.com)</param-value>
       </init-param>
 
      <init-param>
          <param-name>openIdScope</param-name>
          <param-value>Application Name (eg: AgileAssets AMS)</param-value>
      </init-param>
 
      <init-param>
          <param-name>openIdClientId</param-name>
          <param-value>Client ID (eg: abc-def-ghi-jkl-mno)</param-value>
      </init-param>
 
      <init-param>
          <param-name>openIdClientSecretEncrypted</param-name>
          <param-value>Encrypted Client Secret (eg: @aaEncrypted@ABCDEFG)</param-value>
      </init-param>

      <init-param>
          <param-name>openIdOauthAuthorizationEndpoint</param-name>
          <param-value>OpenID Authorization End point (eg: /oauth/authorize)</param-value>
      </init-param>

      <init-param>
          <param-name>openIdOauthTokenEndpoint</param-name>
          <param-value>OpenID Token End point (eg: /oauth/token)</param-value>
      </init-param>
 
      <init-param>
          <param-name>openIdOauthUserinfoEndpoint</param-name>
          <param-value>OpenID User information End point (eg: /oauth/userinfo)</param-value>
      </init-param>
  
  </filter>
 
  <filter-mapping>
      <filter-name>OpenIdSSOFilter</filter-name>
      <url-pattern>/sso</url-pattern>
  </filter-mapping>

User Configuration

On the System > Security > User Level > User Names and Access window, add each user's Email in OpenID to the Email field at this window.

SSO Login URL

The SSO Login URL is the application URL appended with /sso. For example, https://quappv21.agileassets.com/ams-web/sso, or http://trimbleid.agileassets.com/ams-web/sso

Known Issue

Currently, AgileAssets cannot conduct SSO with Azure using OpenID. For SSO with Azure, please use SAML protocol. See Setup SAML for Single Sign-On for details.


  • No labels