Setting up OAuth 2.0 for Private Cloud

Applies to AnyLogic Cloud 2.5.0. Last modified on November 20, 2024.

By integrating Private Cloud Pro or Enterprise with an identity provider service, you can use that service as a source of Cloud user data.

The OAuth integration has been tested for the following providers: Microsoft Entra ID, OKTA, Ping One, KeyCloak, Google. Potentially, any OAuth 2.0 and OpenID Connect compatible identity provider can be used.

• Your Private Cloud instance should be configured to use the HTTPS protocol.
• To use OAuth integration, user account data should include the field containing their email.
• At a minimum, the identity provider should return the following data fields (or their analogues):

  client-id
  client-secret
  scope
  secret-uri

To set up OAuth for your instance, you must set up the application in the console of your identity provider and then manually edit Private Cloud configuration files, registration.json and oauth.json.

1. Go to the website of your identity provider. The examples below use settings required for the PingOne service. Other providers may require additional information.
2. Create a new integration for your Private Cloud application.
   The specific settings and their values vary by provider. For instance, the following is required when configuring the PingOne integration:

   Response type: Code only
   Grant type: Authorization Code
   PKCE Enforcement: Optional

3. When setting up the Redirect URL, use the following pattern:

   https://<Private Cloud instance address>/api/oauth/<registration ID>

   The registration ID is a variable that you should manually name and enter this name in the configuration of the identity provider. For example, if you use ping as the registration ID, the resulting URL will be https://<Private Cloud instance address>/api/oauth/ping.
4. To let the identity provider provide the necessary credentials for Private Cloud users, enable the email and profile scopes.
5. Go to the /home/alcadm/alc/controller/conf directory on the machine that serves the controller component.
6. Open the registration.json file.
7. Modify the value of the enterprise field in the providers object by adding the necessary providers:
   • anylogic — enables user management functionality of AnyLogic Cloud.
   • ldap — enables the authentication via the LDAP server associated with the Private Cloud instance; the server should be specified in ldap.json.
   • ad — enables the authentication via the Active Directory server associated with the Private Cloud instance; the server should be specified in ad.json.
   • oauth — enables the authentication via the OAuth 2 compliant identity provider. The settings must be specified in oauth.json.
   The order in which the providers are listed is important! The instance will first to identify the user in the first provider listed and then moves on to the next.
8. Save the registration.json file and close it.
9. Open the oauth.json file.
10. Specify the settings of your OAuth configuration. The specific list of fields depends on the provider. See the Spring documentation for a reference on all available fields.
    See the example configurations below.
11. To apply changes you have made in JSON files, stop the controller and rest components by executing the following command in the Linux terminal on the machine that serves this component:

    sudo docker stop controller rest

12. After that, start the controller component manually:

    sudo docker start controller

After that, your users should be able to log in to the Private Cloud instance using their credentials from the OAuth provider.

This section lists example configurations for several single sign-on providers.

Microsoft Entra ID

{
    "oauthProviders": [
        {
            "registrationId": "entraid", // The user-defined name which is used in redirect-uri
            "name": "MS Entra ID", 
            "providerConfiguration": {
                "issuer-uri": "https://login.microsoftonline.com/<tenant ID>/v2.0"
            },
            "registrationConfiguration": {
                "client-id": "<Client ID>",
                "client-secret": "<Client secret>",
                "scope": [
                    "User.Read" // The list of scopes depends on the identity provider
                ],
                "redirect-uri": "https://<AnyLogic Cloud host name>/api/oauth/entraid"
            }
        }
    ],
    "oauthAttributes": {
        "email": "email",
        "name": "name"
    }
}

Google

{
    "oauthProviders": [
        {
            "registrationId": "google", // The user-defined name which is used in redirect-uri
            "name": "Google",
            "providerConfiguration": {},
            "registrationConfiguration": {
                 "client-id": "<client-id>",
                "client-secret": "<client-id>", 
                "scope": [
                    "openid", "profile", "email" // The list of scopes depends on the identity provider
                ],
                "redirect-uri": "https://<cloud_hostname>/api/oauth/google"
            }
        }
    ],
    "oauthAttributes": {
        "email": "email",
        "name": "name"
    }
}

PingOne

{
    "oauthProviders": [
        {
                "registrationId": "ping",// The registration ID part of the redirect URI you set in the provider console
            "name": "Ping Cloud",
            "providerConfiguration": { // The identity provider mapping
                "authorization-uri": "https://auth.pingone.eu/{yourInternalId}/as/authorize", 
                "issuer-uri": "https://auth.pingone.eu/{yourInternalId}/as",
                "token-uri": "https://auth.pingone.eu/{yourInternalId}/as/token",
                "user-info-uri": "https://auth.pingone.eu/{yourInternalId}/as/userinfo",
                "jwk-set-uri": "https://auth.pingone.eu/{yourInternalId}/as/jwks"
            },
            "registrationConfiguration": {
                "authorization-grant-type": "authorization_code",
                "client-id": "{yourClientId}",// Your identity provider client ID
                "client-secret": "{yourClientSecret}", // Your identity provider client secret 
                "redirect-uri":"https://test.anylogic.run/api/oauth/ping", // The full redirect URI 
                "scope": [
                    "openid", "profile", "email" // The list of scopes depends on the identity provider
                ]
            }
        }
    ],
    "oauthAttributes": {
        "email": "email",
        "name": "name"
    }
}

Okta

{
    "oauthProviders": [
        {
            "registrationId": "okta", // The user-defined name which is used in redirect-uri
            "name": "Okta",
            "providerConfiguration": {
               "issuer-uri": "https://example.okta.com/oauth2/default"
              },
            "registrationConfiguration": {
                 "authorization-grant-type": "authorization_code",
                 "client-id": "0oafk7854zIAZIOVP697",
                "client-secret": "mwUB_vdI-rQ7kVo_YoV0rXNpzhCoqWgIe8iQh-5AkrrfqCl49vfV5ZpTQEfovF3X", 
                "scope": [
                    "profile", "email" // The list of scopes depends on the identity provider
                ],
                "redirect-uri": "https://<AnyLogic Cloud host name>/api/oauth/okta"
            }
        }
    ],
    "oauthAttributes": {
        "email": "email",
        "name": "name"
    }
}
    

1. Open the instance login page in your browser.
2. Click Use single sign-on.
3. Enter the credentials for your identity provider account.
   To switch the password’s visibility during input on or off, click Show or Hide on the edit box’s right.
4. Click Login.

In case of authentication errors, consult the rest service component logs and the browser console for any relevant details. Additionally, check the identity provider error code.

How can we improve this article?

Send