Federated User Authentication¶
Caution: Technology Preview Feature
This feature is included in this release for user testing and feedback. It may contain bugs or be unstable, and is not recommended for production systems.
Federated User Authentication enables you to use your own Identity Provider (IdP) as the authenticating source for connecting users, before allowing them to select a desktop to connect to.
Important: Federated User Authentication does not authenticate desktops
Federated User Authentication does not allow users to log directly into remote desktops; users will still need to provide their username and password to authenticate with the remote desktop. A separate feature, called single sign on, is currently in development and will accomodate a single login for both the list of desktops and also the individual desktop login. If this is a capability you are interested in, please contact your HP account representative.
- PCoIP Connection Manager and PCoIP Security Gateway 22.09.0 or higher
- PCoIP Client 22.09.0 or higher
- An Identity Provider that supports OAuth2
- A custom or third-party broker that supports Federated User Authentication using the PCoIP Broker Protocol
Configuring the IdP¶
The instructions below are provided as an example with Okta. They are provided as a convenience; we do not control Okta's interface or process, and this procedure could change without our knowledge.
Other IdPs will have different procedures and may use different terms to describe the requirements.
Note: Common terminology
This has been tested against Okta and ADFS; most IdPs will use similar concepts. In most IdPs, the settings will include terms like the following:
- Creating an App Integration
- OAuth2 or OIDC or OpenId Connect sign-in method
- Native Application application type
- The Grant type is Authorization Code
- And the redirect URL would be: pcoip://oauth/
After completing the setup within your IdP, you will need to record the following information for later use:
- The authorization URL of your identity provider
- A Client ID
The IdP may provide additional options for the user experience after authenticating, such as what occurs on the web page left behind after the user returns to their PCoIP client.
Example Configuration using Okta¶
In the Applications tab, click Create App Integration, and specify the sign-in method and application type:
For Sign-in method, choose ODC - OpenID Connect.
For Application type, choose Native Application.
When finished, click Next.
In the New Native App Integration settings page, specify the following:
App integration name: give the app a recognizable name.
Grant type: Check Authorization Code. Other options should remain unchecked.
Sign-in redirect URIs: Enter
pcoip://oauth/in the URI field.
Assignments: In the controlled access section, select Skip group assignment for now.
Configuring the Connection Manager and Security Gateway¶
If you are installing a new CMSG:
Open a console window and enter:
sudo pcoip-cmsg-setup install […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX
If you are configuring an existing CMSG:
sudo pcoip-cmsg-setup update […other settings...] --enable-oauth true --id-provider-url https://id.provider.com --oauth-client-id XXXXXXXXX
The above commands use the following flags:
--enable-oauth: Turns on the federated authentication feature. This flag will be removed in a future release.
--id-provider-url: URL of identity provider.
--oauth-client-id: Obtain this value from your identity provider.