Enabling OIDC in Asset Bank
At this time, OIDC is not available by default. Please contact our Customer Support Team to access this feature.
Once available, you will find the OIDC settings in the Admin Config > System > SSO area of Asset Bank, along with the Sign-in Redirect URI and the Sign-out Redirect URI. Make a note of both of these for later.
Adding Asset Bank as an app in Entra
Sign in to the Microsoft Entra Admin Centre as an admin user for your organisation and click ‘App registrations’ in the left-hand menu.
From the top toolbar, click ‘New registration’.
Give the app a suitable name and select the account types you want to support. We recommend that you select ‘Accounts in this organizational directory only’.
Add the Sign-in Redirect URI that you obtained in the first section and set the Platform to ‘Web’. Click Register.
Setting up the Client Secret
Go back to the ‘App Registrations’ page in the left-hand menu. Under the ‘All applications’ tab, click the app you just registered. Here you will see your ‘Application (client) ID’ and your ‘Directory (tenant) ID’. Make a note of these for later.
On the App Registrations page, under ‘Manage’, click ‘Certificates & secrets’.
Then click ‘New client secret’.
Give it a suitable name and an expiry date. Microsoft limits the expiry to a maximum of two years, with no notification that renewal is due, so be sure to create a new secret before the old one expires. You can have multiple secrets enabled in Entra, which should make the transition to the new secret seamless.
You’ll see your new Client Secret appear. Immediately note the Value (not the Secret ID), as it will only appear once.
Configuring Asset Bank
Go back to the Admin Config > System > SSO area of Asset Bank and click ‘Edit these settings’ at the bottom of the page.
Do not set 'Enable' to True yet. Perform the rest of the configuration, test it, and then enable it when you are happy it works as expected. If you currently have a SAML2.0 integration, you can configure OIDC alongside it without interrupting user access.
Set the Authority URL as https://login.microsoftonline.com/{tenant}/v2.0 where {tenant} is your ‘Directory (tenant) ID’.
Set the Client ID as your ‘Application (client) ID’ and your Client Secret as the Value of the client secret.
There are optional settings to determine whether the user's SSO session is closed when they log out of Asset Bank and where the user is directed. The default is back to the Asset Bank login page.
Group Mappings
You can choose whether to map a user's Entra groups to Asset Bank groups. If enabled, users will be added or removed from Asset Bank groups that have a remote group mapping set up, depending on whether they are a member of the corresponding group in Entra. Asset Bank groups without any remote group mappings are unaffected by this.
Remote group mappings enabled
Go to the 'App registrations' menu in Entra and select your OIDC integration. If you don't see it at first, make sure you have 'All applications' selected.
In the 'Token configuration' menu, select 'Add groups claim' and then select the group types to include. Usually, security groups would be sufficient.
Then, in the 'Groups' menu, get a list of Object IDs for the groups you would like to map.
In Asset Bank, go to the Admin > Groups area, edit each group you would like to map and add the Object ID to the Remote group(s) section, under Advanced options.
Remote group mappings disabled
If you want all SSO users to be added to the same groups, without removing them from other existing groups, you can add the IDs of any Asset Bank groups that users should be automatically added to when they log in via OIDC.
Testing and Enabling
Before you enable OIDC for your users, test it by visiting https://<your-base-url>/action/ssoAuthenticate?mode=manual, replacing <your-base-url> with your app's base URL. You can find your base URL after logging into Asset Bank and then clicking the 'About' link in the footer. For example:
https://example.assetbank.app/assetbank-example/action/ssoAuthenticate?mode=manual
Once you've tested the login, making sure existing users are logged into their existing accounts, you can enable it for your users. This will add a 'Login using SSO' option to your login page. If you currently use SAML2.0 SSO you will need to remove that login option by editing the 'Login page copy' content item in the Config > Content area of Asset Bank. Please talk to our Customer Support Team for help with this.
Comments
0 comments
Please sign in to leave a comment.