{"id":11899,"date":"2022-08-16T09:41:07","date_gmt":"2022-08-16T14:41:07","guid":{"rendered":"https:\/\/www.mrc-productivity.com\/docs\/?post_type=ht_kb&p=11899"},"modified":"2023-11-08T16:00:51","modified_gmt":"2023-11-08T22:00:51","slug":"addinging-sso-via-oauth2-to-m-power-applications","status":"publish","type":"ht_kb","link":"https:\/\/www.mrc-productivity.com\/docs\/knowledge-base\/addinging-sso-via-oauth2-to-m-power-applications","title":{"rendered":"Adding SSO (via OAuth2) to m-Power Applications"},"content":{"rendered":"\n

This document will explain how to configure m-Power as well as a 3rd party tool (in our case, Microsoft’s Azure) to utilize OAuth2 for single sign on access to generated m-Power applications.<\/p>\n\n\n\n

This document assumes that your OAuth2 provider is Azure. However, you are free to connect with other providers as m-Power supports OAuth2 in general.<\/p>\n\n\n\n

Configuring m-Power<\/h2>\n\n\n\n

Oauth2 SSO is configured at the data dictionary level. Therefore, you can control which dictionaries utilize this functionality and which do not. <\/p>\n\n\n\n

On your m-Power server, navigate to the mrc-runtime.properties file located in \/mrcjava\/WEB-INF\/classes and add the following lines to the file:
<\/p>\n\n\n\n

oauth_ms_client_id=ENTER_IN_YOUR_CLIENT_ID_HERE
oauth_ms_client_secret=ENTER_IN_YOUR_SECRET_HERE
oauth_ms_discovery_url=https:\/\/login.microsoftonline.com\/YOUR_DIRECTORY_TENANT_ID_GOES_HERE\/v2.0\/.well-known\/openid-configuration
oauth_ms_callback_url=ENTER_IN_YOUR_CALL_BACK_URL_HERE
oauth_ms_scope=openid offline_access profile email https:\/\/graph.microsoft.com\/user.read
oauth_ms_response_type=code id_token
oauth_ms_response_mode=form_post
oauth_ms_grant_type=client_credentials
oauth_ms_name_key=preferred_username<\/p>\n\n\n\n

Your client ID is how your OAuth2 provider identifies your organization. The secret is essentially the password that helps to authenticate your request. Finally, the callback_url is the endpoint that the OAuth2 provider interacts with to essentially tell m-Power that the user is question is valid.<\/p>\n\n\n\n

How to obtain your Client ID, secret, and callback are discussed in further detail in the document below.<\/p>\n\n\n\n

After restarting Tomcat, log into m-Power and enable security <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

(The default user\/password, if prompted, is mrcuser\/mrcuser)<\/p>\n\n\n\n

Next click the edit security settings option and change the Validation Type dropdown to “Validate by OAuth2”<\/p>\n\n\n\n

Change the “Data Source” option to “Other” and provide a value of “ms”<\/p>\n\n\n\n

Finally, when a user clicks Signoff of a runtime application, m-Power needs to redirect the user somewhere to tell them that their m-Power session has been terminated. You can specify a specific page by changing the “After Signoff Redirect” value to “\/mrcjava\/logout.html”<\/p>\n\n\n\n

You are welcome to customize this file as you see fit.<\/p>\n\n\n\n

Promote to Production<\/h3>\n\n\n\n

To promote your security settings, please promote the mrcSignon2.xml file to production. To promote your log out file you’ve customized, promote the logout.html file to production. <\/p>\n\n\n\n

Configuring Azure<\/h2>\n\n\n\n

Log into your Azure portal at portal.azure.com. Open Azure Active Directory, then click App Registration<\/p>\n\n\n\n

Click “New Registration” Enter a name for your SSO Connection and click “Register”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Your screen should now look like this:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Obtain a Secret Key<\/h3>\n\n\n\n

On the right hand side, click “Add a certificate or secret”<\/p>\n\n\n\n

Click “New client secret”<\/p>\n\n\n\n

Enter a description for this secret and select an expiration window.<\/p>\n\n\n\n

mrc suggests selecting the longest expiration window as once this secret expires you SSO will fail to work until a new valid secret is configured.<\/p>\n\n\n\n

It is advised that you create a reminder for yourself of when this secret will expire so you can be proactive and configure a new secret before this one expires.<\/p>\n\n\n\n

On the next screen, click the copy button next to the Secret Value (not the Secret ID). Save this secret value in a safe place as it will be needed later.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Obtain Tenant ID<\/h3>\n\n\n\n

Navigate back to the newly created app registration (Click the Overview button on the left side navigation panel).<\/p>\n\n\n\n

Make note of the Application (client) id as well as the Directory (tenant) id as both values will be needed later.<\/p>\n\n\n\n

Configuring Redirect URI<\/h3>\n\n\n\n

The Redirect URI is what tells your SSO provider (Azure in this case) what endpoint to connect to once a user has been validated. <\/p>\n\n\n\n

On the overview page, click the “Add a Redirect URI” link. Then click “Add a platform”<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click “Web”<\/p>\n\n\n\n

In the Redirect URI text input add the following text:<\/p>\n\n\n\n

https:\/\/yourserveraddress.com\/mrcjava\/servlet\/oauthcallback<\/p>\n\n\n\n

Azure requires this resource to either be localhost or https. From a practicality standpoint, your site needs to have an SSL site for production functionality.<\/p>\n\n\n\n

Click both checkboxes at the end of the page (Access tokens and ID tokens). Then click configure<\/p>\n","protected":false},"excerpt":{"rendered":"

This document will explain how to configure m-Power as well as a 3rd party tool (in our case, Microsoft’s Azure) to utilize OAuth2 for single sign on access to generated m-Power applications. Configuring m-Power Oauth2 SSO is configured at the data dictionary level. Therefore, you can control which dictionaries utilize…<\/p>\n","protected":false},"author":1,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[257],"ht-kb-tag":[297,296,295],"class_list":["post-11899","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-security","ht_kb_tag-security","ht_kb_tag-single-sign-on","ht_kb_tag-sso"],"_links":{"self":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb\/11899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/comments?post=11899"}],"version-history":[{"count":4,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb\/11899\/revisions"}],"predecessor-version":[{"id":13301,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb\/11899\/revisions\/13301"}],"wp:attachment":[{"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/media?parent=11899"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb-category?post=11899"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.mrc-productivity.com\/docs\/wp-json\/wp\/v2\/ht-kb-tag?post=11899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}