Enable Federated Authentication for Anyware Manager
To use the Federated Authentication feature seamlessly you must have the lastest versions of all the HP Anyware software component such as the Software Client, Software Agent, and the Anyware Manager installable. This is not applicable if you are using Anyware Manager as a Service. When Federated Authentication is configured, you should enable it from the Admin Console.
This has been tested against Okta and ADFS. In most IdPs, the settings include terms like:
- Creating an App Integration
- OAuth2 or OIDC or OpenId Connect sign-in method
- Native Application application type
- The Grant type is Authorization Code
- And the redirect URL would be: pcoip://oauth/
To Enable Federated Authentication:¶
There are two methods of configuring Federated User Authentication in Anyware Manager, through the Admin Console, or the Connector installer. Configuring via the admin console simplifies the connector install flags necessary, and makes it easier to pull the same configuration down to every connector and can be used to override single connectors. Configuring at the connector can be used to have scripted configurations that may change per connector, or when testing the feature out to avoid changing the whole environment.
1. Admin Console configuration¶
Global Configuration¶
Federated Authentication can be configured for your entire deployment using the Global configuration method. The steps are:
- Open the Anyware Manager Admin Console.
- Select your deployment from the drop down, click the kebab (3 vertically stacked circles) next to your deployment's name and select Edit deployment.
- Open the Deployment Settings section and select Connector Settings.
-
Enable OAuth Authentication and enter in authentication URL and client ID. To obtain the OAuth client ID, you need to login into Okta IDP and navigate to the Applications tab from the left pane. Please refer the highlighted area in the image below:
-
Click Save Configuration.
Disabling OAuth for a Connector
This enables OAuth Authentication for all Connectors in the deployment. To enable/disable OAuth for a specific connector, please use the following flags during installing/updating the Connector:
cloud-access-connector install <other configuration> --id-provider-url <authorization_url> --enable-oauth <true or false> --oauth-client-id <client id>
Per Connector Configuration¶
Federated User Authentication can be configured on a per connector basis. This permits you to try it out on a single connector to start to minimize impact to your deployment or to have specific connectors that are used for Federated User Authentication:
- Select your deployment from the Deployment drop down option.
- Click Connectors from the left pane and select the connector you wish to modify from the table.
- Select the Connector Settings tab and click Enabled under OAuth Authentication.
- Enter the following information into the interface that you obtained from your Identity Provider configuration:
- Authorization URL
- Client ID
- Click Save Configuration.
After configured the setting in admin console, run the following commands in Connector to apply the setting.
- To update a connector to use this setting:
- Log into the connector using SSH
- Run the command: sudo cloud-access-connector update <any other configuration flags you use> --pull-connector-config
- To deploy a new connector to use this setting:
- Log into the connector using SSH
- Run the command: sudo cloud-access-connector install <any other configuration flags you use> --pull-connector-config
2. OAuth Configuration for Connectors¶
You can configure your environment at the connector using the command line interface (CLI) on each connector in your environment. You can choose this option if you are scripting connector deployments or if you wish to avoid storing your identity provider information in the Anyware Manager service.
If you are installing a new connector:
sudo cloud-access-connector install […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX
If you are configuring an existing connector:
sudo cloud-access-connector update […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX
Installation Flags¶
Flag | Type | Description |
---|---|---|
--enable-oauth |
Boolean | Enables Oauth authentication. (Default=False) |
--id-provider-url |
String | Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com . This flag is required if --enable-oauth is true . |
--oauth-client-id |
String | Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true . |
--fa-url |
String | The Federated Auth Broker URL. for example https://cac-vm-fqdn:port |
--oauth-flow-code |
String | Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now |
--enable-entitlements-by-upn |
Boolean | Enables/Disables searching entitlements by UPN. This flag is required to be true, if --enable-oauth is true . |