Access using external identity provider - HxGN LiveView - Administration & Configuration

HxGN LiveView Administrator Help

Language
English
Product
HxGN LiveView
Search by Category
Administration & Configuration
VDS Version
3.13
LiveView Version
3

Use this method to delegate access management to Hexagon or third-party OAuth 2.0 authentication management software. Also, user identity management is inherited from the authentication system. For example, if the authentication service uses the Active Directory as the Identity provider, your users can log in to LiveView using the company Active Directory credentials.

This method requires no extra maintenance of login accounts and permissions to project data. Your users can bypass the default Xalt login prompt to directly log in to Xalt via an external OAuth server. Using the authorization code flow, the user can log in directly to the OAuth server. The Xalt server can then request an access token on behalf of the OAuth user.

Follow the procedures below to use the Authorization Code flow for authorization and to set up access rights from the component tools (Smart Instrumentation, Smart P&ID or Smart Electrical).

Configure Authentication

  1. From your authentication service application, create a client with the Authorization Flow set to Authorization Code.

  2. Add https://oauth.hexagonxalt.net/oauth/[tenantID]/v1/callback/ in the Redirect URIs section.

  3. Copy the Client ID and Secret.

  4. Create a group user profile in the authentication service. The users in this group should be provided access to the Smart API registered in the authentication service to set up LiveView.

  5. In the authentication service settings, set the token settings to allow refresh tokens as shown in the Smart API Manager example below.

  6. Contact the PPM Smart Community to add the authentication server details in your Xalt tenant. This enables LiveView to perform user authentication upon login. Provie the following details:

    1. Authentication server URL

    2. Client ID and secret for the client with Authorization Code flow

    3. Scopes

Set Up Access Rights from Component Applications

This authentication method also provides a mechanism to use access rights from the component tools (Smart Instrumentation, Smart P&ID, or Smart Electrical). When data is accessed from LiveView, the authentication uses access tokens that were generated for the logged-on user.

  1. Contact the PPM Smart Community to enable this in the LiveView app configuration.

  2. Add the external identity to the group in the authentication service that has access to the component application's Web API.

  3. Appropriate claims must be mapped. Identity providers identify users with the help of information stored in the form of attribute name/value pairs. This is made available to the accessing client as claims. Each identity provider can store and present this information in different ways. However, the information must be added to the authorization token in a way that can be recognized by the component application's Web APIs. This is accomplished by mapping claims from the external identity provider in the authentication service. The following claims are required by the LiveView Web APIs:

    1. Smart Instrumentation: No action required for the Smart Instrumentation Web API. The value received through the sub claim must match the user ID of the existing user in Smart Instrumentation.

    2. Smart P&ID: Sub claim with values in the format <domainname\userID>,
      -OR-
      Sub claim with values in the format < userID> and the domain claim with values in the format <domainname>.

    3. Smart Electrical: Sub claim with values in the format <domainname\userID>,
      -OR-
      Sub claim with values in the format <userID> and the domain claim with values in the format- <domainname>.