Skip to content

Enable Federated Authentication for Anyware Manager

To use the Federated Authentication feature seamlessly you must have the lastest versions of all the HP Anyware software component such as the Software Client, Software Agent, and the Anyware Manager installable. This is not applicable if you are using Anyware Manager as a Service. When Federated Authentication is configured, you should enable it from the Admin Console.

This has been tested against Okta and ADFS. In most IdPs, the settings include terms like:

  • Creating an App Integration
  • OAuth2 or OIDC or OpenId Connect sign-in method
  • Native Application application type
  • The Grant type is Authorization Code
  • And the redirect URL would be: pcoip://oauth/

To Enable Federated Authentication:

There are two methods of configuring Federated User Authentication in Anyware Manager, through the Admin Console, or the Connector installer. Configuring via the admin console simplifies the connector install flags necessary, and makes it easier to pull the same configuration down to every connector and can be used to override single connectors. Configuring at the connector can be used to have scripted configurations that may change per connector, or when testing the feature out to avoid changing the whole environment.

1. Admin Console configuration

Global Configuration

Federated Authentication can be configured for your entire deployment using the Global configuration method. The steps are:

  1. Open the Anyware Manager Admin Console.
  2. Select your deployment from the drop down, click the kebab (3 vertically stacked circles) next to your deployment's name and select Edit deployment.
  3. Open the Deployment Settings section and select Connector Settings.
  4. Enable OAuth Authentication and enter in authentication URL and client ID. To obtain the OAuth client ID, you need to login into Okta IDP and navigate to the Applications tab from the left pane. Please refer the highlighted area in the image below:

    Alt text

  5. Click Save Configuration.

Disabling OAuth for a Connector

This enables OAuth Authentication for all Connectors in the deployment. To enable/disable OAuth for a specific connector, run the following flags during installing/updating the Connector:

  • For Anyware Connector: anyware-connector configure <other configuration> --id-provider-url <authorization_url> --enable-oauth <true or false> --oauth-client-id <client id>.
  • For Ubuntu Connector: cloud-access-connector install <other configuration> --id-provider-url <authorization_url> --enable-oauth <true or false> --oauth-client-id <client id>.

Per Connector Configuration

Federated User Authentication can be configured on a per Connector basis. This permits you to try it out on a single Connector to start to minimize impact to your deployment or to have specific connectors that are used for Federated User Authentication:

  1. Select your deployment from the Deployment drop down option.
  2. Click Connectors from the left pane and select the Connector you wish to modify from the table.
  3. Select the Connector Settings tab and click Enabled under OAuth Authentication.
  4. Enter the following information into the interface that you obtained from your Identity Provider configuration:
    • Authorization URL
    • Client ID
  5. Click Save Configuration.

After configured the setting in admin console, run the following commands in Connector to apply the setting.

For RHEL/Rocky Linux Connector: - To update/configure or deploy a new Connector: - Log into the Connector using SSH. - Run the command: sudo /usr/local/bin/anyware-connector configure <any other configuration flags you use> --pull-config-from-manager.

For Ubuntu Connector: - To update: - Log into the Connector using SSH. - Run the command: sudo cloud-access-connector update <any other configuration flags you use> --pull-connector-config - To deploy a new Connector: - Log into the Connector using SSH - Run the command: sudo cloud-access-connector install <any other configuration flags you use> --pull-connector-config

2. OAuth Configuration for Connectors

You can configure your environment at the connector using the command line interface (CLI) on each connector in your environment. You can choose this option if you are scripting connector deployments or if you wish to avoid storing your identity provider information in the Anyware Manager service.

For RHEL/Rocky Linux Connector:

If you are installing a new Connector or configuring an existing Connector:

  • sudo /usr/local/bin/anyware-connector configure […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX

For Ubuntu Connector:

If you are installing a new connector:

  • sudo cloud-access-connector install […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX

If you are configuring an existing connector:

  • sudo cloud-access-connector update […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX

Configuration Flags

Flag Type Description
--enable-oauth Boolean Enables Oauth authentication. (Default=False)
--id-provider-url String Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com. This flag is required if --enable-oauth is true.
--oauth-client-id String Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true.
--fa-url String The Federated Auth Broker URL. for example https://cac-vm-fqdn:port
--oauth-flow-code String Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now
--enable-entitlements-by-upn Boolean Enables/Disables searching entitlements by UPN. This flag is required to be true, if --enable-oauth is true.