Having a centralised identity management system is the current best practice to consolidate and enforce secure login and authorisation policies over a wide range of systems, applications and devices. It solves the problem of having separate credentials for different systems, something which is inconvenient and can lead to insecure practices like password reuse.
We are happy to announce that ePortal 1.26-1 introduces support for Single Sign-On authentication following the OAuth 2.0 standard, supported out-of-the-box by authentication providers like Google, Okta and others.
From an administrative perspective, centralised authentication gives better control over policies like credential expiration, multi-factor token usage and access restrictions. So, whenever an application is added to your existing infrastructure, it’s just a matter of connecting it up to the centralised identity management system, and it’s ready to use.
Like other applications, ePortal requires some configurations to be made both in the Identity Management system (to add a new application) and within ePortal itself (to connect to said Identity Management system).
For example, when connecting ePortal to use Okta, you can follow the detailed instructions found in the documentation. This basically requires you to add a new application integration through the Okta Admin Console, selecting OpenID Connect as the Sign-In method, and filling in the following fields:
- Sign-in redirect URIs:
- Sign-out redirects URIs:
On the ePortal side, you also need to do some configuration, as this depends on the SSO provider used. For example, with an Okta server, the following configuration would achieve the integration:
cat <<EOF >> /usr/share/kcare-eportal/config/local.py
After making this change, you will need to reboot ePortal. You can find the instructions to do so here (dependant on the operating system used):
After the service successfully starts, when you try to log in, you will be greeted by this screen:
Now you can select “Sign In with SSO” to enter.
As mentioned above, the documentation that includes more details and step-by-step instructions can be found at: https://docs.kernelcare.com/kernelcare-enterprise/#authentication-using-single-sign-on
As with other recent features, the OAuth 2.0 integration started as a request from one of our subscribers. If you have any special needs that you would like to see included, get in touch with us, we’re always happy to improve our services to meet your expectations better.