Authentication & SSO

To authorize access to the Confinity admin panel, you can either use local authorization from Confinity or Single Sign-On (SSO).

Local Authentication

Local authentication is the default method for logging into the Confinity admin panel. Users and their role assignments are managed directly in Confinity. No additional configuration is needed if you choose to use local authentication.

Disable Local Authentication

If you want to disable local authentication, for example, when you only want to allow login via SSO, you can do so via appsettings.json as follows:

"ConfinityAuth": {
  "LocalAuthEnabled": false
}

Or with an environment variable:

ConfinityAuth__LocalAuthEnabled=false

SSO

If you want to use SSO, you have the option to use either OpenID Connect (OIDC) or a custom user provider in combination with a reverse proxy. We recommend using OIDC for SSO cases.

OpenID Connect (OIDC) Configuration

You can add OIDC SSO by simply adding the following configuration to appsettings.json:

"ConfinityAuth": {
    "OidcProviders": {
        "company_sso": {
            "Name": "My Company SSO",
            "ClientSecret": "very-secret",
            "ClientId": "client-id",
            "MetadataEndpoint": "https://oidcprovider.example.com/.well-known/openid-configuration",
            "Hidden": false
        }
    }
}

In the example above, company-sso is a unique key for this OIDC provider. You can define as many providers as you need. For each provider, you can configure the following properties:

PropertyTypeDefaultDescription
NamestringA name shown to the user at the login screen.
ClientSecretstringThe client secret provided by the OIDC provider.
ClientIdstringThe client ID provided by the OIDC provider.
MetadataEndpointstringA URL for the OIDC metadata endpoint provided by the OIDC provider.
HiddenbooleanWhether the provider should be visible to the user on the login screen by default.
DisablePushedAuthorizationRequestbooleanfalseWhether to explicitly disable Pushed Authorization Request (PAR).
TokenEndpointClientSecretMethod"BasicAuth" or "PostBody""BasicAuth"Whether to use Basic Auth or POST for the client secret authentication method.

Show Hidden Providers

When a provider is configured as hidden, you can make it visible by adding the URL query parameter allproviders to the login URL as follows:

/.confinity/#/auth/login?allproviders

Generic Identity Provider Configuration

To configure the identity provider, use the following configuration. Confinity is using the authorization code flow.

  • Redirect URI: <URL to Author Instance>/.confinity/api/auth/oidcreturn
  • Front-channel logout URL: <URL to Author Instance>/.confinity/api/auth/logout
  • Authentication: Currently only client secret supported
  • Scopes: openid profile email offline_access
  • Token Endpoint Authentication Method: Client Secret Basic Authentication (default; configurable)
  • Response Type: Code
  • Token claims:
    • preferred_username
    • family_name
    • given_name
    • email
    • roles
    • groups (optional)

Provider Configuration: PING Identity

To configure SSO using PING Identity, use the following configuration.

  1. Create a new application using Application Type: OIDC Web App
  2. Set the following configuration:
    • Response Type: Code
    • Grant Type:
      • Authorization Code (PKCE Enforcement: OPTIONAL)
    • Refresh Token enabled:
      • Refresh Token Duration: Usually between 10 and 60 min
      • Refresh Token Rolling Duration: Usually between 1 and 30 days
    • Redirect URIs: https://<HOST AUTHOR INSTANCE>/.confinity/api/auth/oidcreturn
    • Token Endpoint Authentication Method: Client Secret Basic
    • Signoff URLs: <URL to Author Instance>/.confinity/api/auth/logout
    • PingOne API Access Token Duration: Lower or equal to Refresh Token Duration
    • Leave other options empty or at their default
  3. Add the following resources:
    • email
    • offline_access
    • openid
    • profile
  4. Attribute Mappings: Map all the attributes according to the Token claims in the generic configuration documentation.

Custom SSO

If you have a reverse proxy with session management that handles user authentication for you, you can implement the interface Confinity.Auth.IConfinityUserProvider and register it via the service provider as follows:

services.AddTransient<IConfinityUserProvider, MyUserProvider>();