Single Sign On in Content Fusion Enterprise
Oxygen Content Fusion Enterprise Server supports Single Sign On by configuring a provider that supports the OpenID Connect protocol such as Microsoft Entra ID or Okta.
Note: Content Fusion uses the email address provided by the Single Sign On
provider, unless the
email_verified
field is false
for a
particular user. To enable Single Sign On:
- Define a new application in the administration interface of your
OpenID Connect provider to represent your Oxygen Content Fusion Enterprise Server deployment:
- When you are asked for a redirect URI, use the following value:
https://<content-fusion-address>/api/oauthc/oidcId/callback
where you replace<content-fusion-address>
with the actual address of your server. - After you define the application, you need to note the Client ID (or Application ID in some cases) and Client Secret that will be generated for you.
- When you are asked for a redirect URI, use the following value:
- On the machine where Content Fusion is installed, you need to add
multiple lines to the /fusion/data/config/api/api.properties file, as
follows:
- One line for the name of the OpenID Connect provider, it will be displayed to the
users on a button as Continue with
<provider-name>:
oidc.provider_name=<provider-name>
- Three lines that identify the server that is the OpenID Connect provider for the
following properties:
oidc.authorization_endpoint
,oidc.token_endpoint
, andoidc.userinfo_endpoint
. For example:- For the Okta provider, replace the
<okta-subdomain>
in the configuration snippet below:oidc.authorization_endpoint=https://<okta-subdomain>.okta.com/oauth2/v1/authorize oidc.token_endpoint=https://<okta-subdomain>.okta.com/oauth2/v1/token oidc.userinfo_endpoint=https://<okta-subdomain>.okta.com/oauth2/v1/userinfo
- For Microsoft Entra ID, replace
<app-id>
with the Application ID that was generated for you during the first step:oidc.token_endpoint=https://login.microsoftonline.com/<app-id>/oauth2/v2.0/token oidc.userinfo_endpoint=https://graph.microsoft.com/oidc/userinfo oidc.authorization_endpoint=https://login.microsoftonline.com/<app-id>/oauth2/v2.0/authorize
- For the Okta provider, replace the
- Two lines that identify the application you created during the first
step:
oidc.client_id=<client-id> oidc.client_secret=<client-secret>
- One line for the name of the OpenID Connect provider, it will be displayed to the
users on a button as Continue with
<provider-name>:
- Restart the Content Fusion
machine.
sudo bash /fusion/admin/stop-content-fusion.sh sudo bash /fusion/admin/start-content-fusion.sh
Result: Users will now have the option to log on to Content Fusion using the OpenID Connect provider.