Authenticating IRIS users with ADFS
Hi,
Looking for some guidance on setting up IRIS to use single sign on to authenticate with ADFS.
We have a request for users to automatically launch IRIS without the need to login, the user will be authenticated by Single Sign on (SSO) against ADFS.
Do we need to have a authorization server as well as a client, ADFS will handle all the authentication side, so would it be a case of configuring IRIS client up to communicate with ADFS, following the link below?
Appreciate any help or advise given.
Thanks in advance.
Comments
If ADFS is handling authentication, IRIS does not have to be the authorization server for that flow; IRIS can be configured to know the external authorization server and use its endpoints/metadata. In the Management Portal, you can create a Server Description for the external server by setting the Issuer URL, using Discover, and saving it so IRIS pulls the authorization endpoint, token endpoint, JWKS URI, and related metadata it needs. [1]
If you want IRIS to validate tokens and protect its own APIs or web resources, you then configure IRIS as a Resource Server tied to that server definition. The example flow shows creating a Resource Server entry with the external server definition and intended audiences so IRIS accepts only tokens issued for that API. [1]
The documentation also states that if an InterSystems IRIS resource server does not use any endpoints of the authorization server, then it is not necessary to create an OAuth 2.0 configuration on this machine. In that case, IRIS can read the access token directly from the HTTP authorization header and use it as needed. [2]
For endpoint-based validation, IRIS can call the authorization server’s introspection endpoint with GetIntrospection(), using the client_id and client_secret associated with the configured application name. It also notes that you cannot use this method if the server does not specify an introspection endpoint or if Client secret is not specified. [2]
If your goal is browser SSO into an IRIS web application, the OAuth/OpenID setup described in the returned material shows the client/resource-server pattern and token validation, but it does not explicitly describe ADFS-specific single sign-on behavior for “automatically launch IRIS without the need to login.” What is clearly supported in the returned material is:
- defining the external authorization server in IRIS,
- configuring IRIS as a client/resource server against that server,
- and mapping token claims/scopes into IRIS username/roles via an authenticator class if needed. [1]
A related example also notes a server option for Support user session, meaning the authorization server can keep the current browser user logged in with an httpOnly cookie so subsequent token requests do not prompt again for username and password. [3]
So, based on the returned material, the closest match to your question is: if ADFS is the identity/authorization provider, configure IRIS to trust and use that external server definition, and configure IRIS as a client and/or resource server as required by your application flow; you do not need IRIS itself to also be the authorization server unless you specifically want IRIS to issue tokens. [1][2]
Please note: beginning with Cache 2017.1, it is no more needed to use X.509 Certificates to generate JWT / JWKS (JSON Web Key Set). We, for the backward compatibility and simplicity, use this option. [3]
Sources: