VMmanager: Administrator guide
Documentation
/
VMmanager: Administrator guide
/
Users
/
Authorization via SSO
en En
es Es
Add to Favorites
Focus mode
Documentation
/
VMmanager: Administrator guide
/
Users
/
Authorization via SSO

Authorization via SSO

The following terms are used in the article:

You can configure user authorization on the platform via SSO. The platform supports SSO solutions that operate using the OIDC protocol, such as Keycloak or AD FS.

The platform only supports authorization through a single SSO server.

Work logic

If the SSO authorization is configured in the platform, the Login via SSO button appears on the platform login page. To log in via SSO, the user needs:

  1. Click the Login via SSO button. The SSO server authorization page opens in the browser tab.
  2. Enter their SSO login details. The platform interface opens in the browser tab.

In the SSO server connection settings, you can enable the User management option and specify which OIDC roles correspond to which user roles and groups. In this case, if a user logs in via SSO, their roles and groups will be set according to the specified settings. If there is no account with this email address on the platform, it will be created. If the OIDC role for the user is not specified in the settings, authorization will not be performed. 

For accounts created during authorization via SSO, the user table indicates the source — OIDC. If you remove the connection to the SSO server, users with the OIDC source will be blocked. If the connection is restored, the blocking of these users will be removed.

Limitations

Combining SSO and LDAP

If you plan to use synchronization with the LDAP directory and authorization via SSO, then for the platform to work correctly:

  1. First, configure synchronization with the LDAP directory, and then authorization via SSO.
  2. To avoid conflicts in the operation of LDAP and SSO, do not use the User management option in the SSO connection settings.

Configuration on SSO side

Keycloak

Save the SSO configuration URL:

  1. Go to the section Realm settings.
  2. In the Endpoints parameter, copy the OpenID Endpoint Configuration link. The link usually looks like https://example.com/realms/your_realm_name/.well-known/openid-configuration, where example.com is the domain name or IP address of the SSO server, and your_realm_name is the name of the Realm. You will need to specify this value in the platform when connecting SSO authorization in the SSO configuration URL field.

Create a new client for the connection:

  1. Go to the section ClientsCreate client button.
  2. At the General settings step:
    1. In the Client type field, select: OpenID Connect.
    2. In the Client ID field, select the unique client id. You will need to specify this value in the platform when connecting SSO authorization in the Client ID field.
    3. In the Name field, specify the arbitrary client name.
    4. Click Next button.
  3. At the Capability config step:
    1. Enable the Client authentication option.
    2. In the Authentication flow parameter, leave the Standard flow option enabled — standard OIDC authentication.
    3. Leave the PKCE Method parameter blank — PKCE is not used.
    4. Click Next button.
  4. At the Login settings step:
    1. In the Valid redirect URIs field, specify the URL such as https://example.com/auth/sso, where example.com is the domain name or IP address of the platform. The specified address will be used for redirection after user authentication. This value (without the /auth/sso suffix) must be specified in the platform when connecting SSO authorization in the VMmanager platform address field.
    2. In the Web origins field, specify the URL such as https://example.com, where example.com is the domain name or IP address of the platform.
    3. Click Save button.
  5. Go to the Credentials tab:
    1. In the Client Authenticator parameter, leave the value Client ID and Secret — authentication by Client ID and Client secret.
    2. Save the value from the Client Secret field. You will need to specify this value in the platform when connecting SSO authorization in the Client secret field.
  6. Go to the Advanced tab:
    1. In the ID token signature algorithm parameter, select the RS256 value — RS256 algorithm for token signatures.
    2. Leave the ID token encryption key management algorithm and ID token encryption content encryption algorithm parameters blank —  token encryption is disabled.
    3. Click Save button.
  7. Go to the Client Scopes tab and specify settings so that the server response contains data about user groups: 
    1. Click on entry like <Client_id>-dedicatedConfigure a new mapper button → type Group Membership.
    2. In the Name field, enter the arbitrary name.
    3. In the Token Claim Name field, enter: member_of
    4. Leave the Add to ID token option enabled.
    5. Click Save button.

AD FS (Windows Server 2025)

Save the SSO configuration URL:

  1. Go to ServiceEndpoints.
  2. In the OpenID Connect section, save the URL Path value for the OpenID Connect Discovery parameter. It usually looks like /adfs/.well-known/openid-configuration This value, along with the domain name, will need to be specified in the platform when connecting SSO authorization in the SSO configuration URL field. For example, https://example.com/adfs/.well-known/openid-configuration 
    When configuring authorization, enter the domain name in FQDN format. For example, https://example.com. Authorization by server IP address is not supported.

Create a new application group:

  1. Go to Application Groups Add Application Group.
  2. At the Welcome step:
    1. In the Name field, enter the arbitrary name.
    2. Select the template Server application accessing a Web API.
  3. At the Server application step:
    1. Specify the new Client Identifier value or use existing one. You will need to specify this value in the platform when connecting SSO authorization in the Client ID field.
    2. In the Redirect URI field, specify the URL like https://example.com/auth/sso, where example.com is the domain name or IP address of the platform. Click Add button. The specified address will be used for redirection after user authentication. This value (without the /auth/sso suffix) must be specified in the platform when connecting SSO authorization in the VMmanager platform address field.
  4. At the Configure Application Credentials step:
    1. Enable the Generate a shared secret option.
    2. Save the value from the Secret field. You will need to specify this value in the platform when connecting SSO authorization in the Client secret field.
  5. At the Configure Web API step:
    1. In the Identifier field, enter: vmmanager6
    2. Click Add button. 
  6. At the Configure Application Permissions step:
    1. In the Permitted scopes section, enable the openid option.

To have the server response contain data about user groups:

  1. Open the group settings: select a group → Properties.
  2. In the Properties window, select Web API Edit button.
  3. Go to the Issuance Transform Rules tab → Add rule button.
  4. Select the template Send LDAP Attributes as ClaimsNext button.
  5. In the Claim rule name field, enter the arbitrary rule name.
  6. In the Attribute store field, select Active Directory.
  7. In the LDAP Attribute column, select one of the values starting with Token-Groups. This affects the format in which the OIDC role must be specified when connecting SSO authorization in the platform:
    • Token-Groups as SIDs — group SID. For example, S-1-5-21-123456789-123456;
    • Token-Groups - Qualified by Domain Name — domain name in NetBIOS format and group name. For example, DOMAIN\Admins;
    • Token-Groups - Qualified by Long Domain Name — domain name in FQDN format and group name. For example, example.com\Admins;
    • Token-Groups - Unqualified Names — group name only. For example, Admins.
  8. In the Outgoing Claim Type column, enter: member_of
  9. Click Finish OK OK.

Configuring on platform side

To manage SSO authorization, click the icon in the right-hand menu → Global settings tab → Authorization via SSO section. If authorization is enabled, the configuration URL is displayed in the section. If not, the message "Not connected" is displayed.


To enable authorization:

  1. Click connect button.
  2. If you have already configured SSO authentication on this platform, a banner saying "Saved SSO configuration found" will appear on the configuration form. To use the added configuration, click Use button. 
  3. If you need to use a new configuration, specify the authorization settings:
    1. SSO configuration URL.
    2. Client ID.
    3. Client secret
    4. VMmanager platform address.
    5. To allow authorization only for users with an email address confirmed on the registration server, enable the Only with a confirmed email address option. 
      This option is not supported for AD FS.
    6. To enable the platform to create users from SSO and configure their rights:
      1. Enable the User management option.
      2. Specify the rules for matching OIDC roles to roles in the platform. To do this:
        1. Click Add button.
        2. Enter the OIDC role.
        3. Select Roles of the platform. For each OIDC role, you can select one preconfigured role (Administrator, Advanced user, User) or any number of custom roles.
        4. If you need to add users to groups, select User groups.
        5. To add another rule, click Add button. To delete a rule, click the  icon. 
  4. Click Connect button.
    The platform does not verify the Client ID and Client secret values when saving settings. To test the connection, log in as any user via SSO.



To disable authorization, click disable button.

To change the authorization settings, click edit button and specify the new settings.

Diagnostics

To diagnose problems related to SSO authentication, examine the auth container logs.