Edit online

Single Sign On in Content Fusion Enterprise

Oxygen Content Fusion Enterprise Server supports Single Sign On by configuring a provider that supports the OpenID Connect protocol such as Microsoft Entra ID or Okta.

Note: Content Fusion uses the email address provided by the Single Sign On provider, unless the email_verified field is false for a particular user.
To enable Single Sign On:
  1. Define a new application in the administration interface of your OpenID Connect provider to represent your Oxygen Content Fusion Enterprise Server deployment:
    1. When you are asked for a redirect URI, use the following value: https://<content-fusion-address>/api/oauthc/oidcId/callback where you replace <content-fusion-address> with the actual address of your server.
    2. After you define the application, you need to note the Client ID (or Application ID in some cases) and Client Secret that will be generated for you.
  2. On the machine where Content Fusion is installed, you need to add multiple lines to the /fusion/data/config/api/api.properties file, as follows:
    1. One line for the name of the OpenID Connect provider, it will be displayed to the users on a button as Continue with <provider-name>:
      oidc.provider_name=<provider-name>
    2. Three lines that identify the server that is the OpenID Connect provider for the following properties: oidc.authorization_endpoint, oidc.token_endpoint, and oidc.userinfo_endpoint. For example:
      1. For the Okta provider, replace the <okta-subdomain> in the configuration snippet below:
        oidc.authorization_endpoint=https://<okta-subdomain>.okta.com/oauth2/v1/authorize
oidc.token_endpoint=https://<okta-subdomain>.okta.com/oauth2/v1/token
oidc.userinfo_endpoint=https://<okta-subdomain>.okta.com/oauth2/v1/userinfo
      2. For Microsoft Entra ID, replace <app-id> with the Application ID that was generated for you during the first step:
        oidc.token_endpoint=https://login.microsoftonline.com/<app-id>/oauth2/v2.0/token
oidc.userinfo_endpoint=https://graph.microsoft.com/oidc/userinfo
oidc.authorization_endpoint=https://login.microsoftonline.com/<app-id>/oauth2/v2.0/authorize
    3. Two lines that identify the application you created during the first step:
      oidc.client_id=<client-id>
oidc.client_secret=<client-secret>
  3. Restart the Content Fusion machine.
    sudo bash /fusion/admin/stop-content-fusion.sh
sudo bash /fusion/admin/start-content-fusion.sh

Result: Users will now have the option to log on to Content Fusion using the OpenID Connect provider.