Configuration of the OpenID Connect authentication provider in WEBCON BPS

Applies to version: 2021.1.x and above; author: Michał Bednarz

From version 2021, you can authenticate in WEBCON BPS with any provider using the OpenID Connect standard. In this article, we explain how to configure it using Google authentication as an example. Please note that the configuration is identical when you use another provider. 

It is necessary to register the application on the provider’s side, in this case, Google. The configuration is described here.

Integration of the authentication provider in WEBCON BPS requires the provider to fully implement the OpenID Connect protocol. It is necessary that the endpoint with metadata (autodiscovery) is available at <Authority>/.well-known/openid-configuration.

During registration, we will obtain the data necessary for configuration:

• Customer ID
• Client secret key

Remember to specify the redirection URL during configuration, this address must be in the format https: // <site-address-in-format-fqdn> / signin- <schema-name >

In BPS Designer Studio, open system settings, find the authentication provider section, select OpenID Connect, and click New. Then, complete the configuration fields:

• Active in Designer Studio” and “Active in BPS Portal” - decides to which instances of the system it will be possible to log in using the authentication provider we have configured.
• “Scheme” – this is the provider’s internal name; must be unique and different from “AAD” and “Google.”
• “Display name” – the name that will be visible in the authentication provider selection panel. 
• Host address - data provided by the authentication provider, in the case of Google https://accounts.google.com/
• Issuer - data provided by the authentication provider, in the case of Google https://accounts.google.com/
• Client ID - Application ID registered on the provider’s side.
• Client password - password for the application registered on the provider’s side. 
• Logout URL - after logging out, the user will be redirected to this address. It can be left blank as it is not obligatory. In this case, the user will be redirected to the BPS Portal login page.
• Scope - list of data necessary for BPS to identify the user. “Profiles” and “email” are already added by default. For other OpenID server implementations, you may need to add different scopes.

After completing the configuration, save the settings and restart the portal application pool. It is also necessary to grant permissions for the Google account. To do this, go to the list of BPS users, and add a new user. The BPS ID and email should be used as user identifiers in Google. Then, add system permissions to the new user.

For more information on adding users, consult this article.

Go to your site address https: // <site-address-in-fqdn-format, you will be automatically redirected to the authentication provider selection page. Select the authentication provider you have added before; in our example, it is Google.

Now, you will be redirected to the Google authentication page where you can select your Google account from the list of available accounts or, if you are not logged in, you can log in to your Google account. If necessary, allow the application to access user data. After logging in, you are redirected to BPS Portal page. In the user menu, you can see that you are logged in to the system through a Google account (as in the figure below).

If you click “logout,” you will be redirected to the logout URL you have configured before. If you have not indicated any URL there, you will be brought to the default page, which is BPS Portal login page.