Skip to content

OpenID Connect binding

Info

This documentation includes mainly the description of the OIDC connection in octoplant. For basic configuration and OIDC setup, refer to OIDC setup for Microsoft Azure/AD and the documentation of external ID providers OpenID.

OpenID Connect (OIDC) is an interoperable authentication protocol based on the OAuth 2.0 framework of specifications.

octoplant can currently be used with the following OIDC providers:

  • Microsoft Azure/AD
  • On-premises Microsoft Azure/AD

If you already have an account with an identity provider, OpenID lets you use that account to sign in to other applications, such as octoplant.

If you have an Apple, Google, or Microsoft account, you can sign in to any OpenID-enabled application or website without creating a separate account or password.

OAuth (Open Authorization) is a standardized authorization protocol for software applications. It uses identity providers, such as Microsoft Azure AD, to authenticate users and issue tokens for secure access.

OAuth can be used alongside other sign-in methods, such as local authentication or LDAP. When multiple methods are configured, users can select their preferred option on the sign-in screen.

octoplant without OAuth

As a customer, you can choose whether to use OAuth. If you do not use OAuth, no additional system configuration is required:

  • The octoplant server and the client can communicate using the IP address or computer name (FQDN1)
  • No additional handling of external certificates or tokens is required
  • If a CSC Gateway is required (for example, when using separated networks), this could be configured without additional external effort

Figure: octoplant without OAuth

OAuth implementation requirements

Using OAuth requires slight changes in the login process, and comes with additional requirements to increase security:

  • Activate and configure OAuth in octoplant.
  • Install a valid TLS certificate on the octoplant server. This step may require assistance from your IT team.
  • Use of a fully-qualified domain name (FQDN) for server and client communication. You may need to replace the IP address with the FQDN in the client login configuration.

FQDN requirement

The octoplant server and client can communicate only using a FQDN, because FQDN is embedded in the certificate or token required for OAuth.

  • Ensure that a Domain Name System (DNS) server is available. In most cases, DNS is configured automatically by the octoplant server operating system.
  • Configure a new registration in an ID provider.
  • Ensure that the ID provider is reachable from both the octoplant server and the client.

FAQ

How to fix the NET::ERR_CERT_AUTHORITY_INVALID errors

Following the procedure described in Use your own security certificate, combined with proper Certificate Authority (internal or external) will fix NET::ERR_CERT_AUTHORITY_INVALID errors.

Related topics