lilt_api
and lilt_role
attributes mentioned in the WSO2 configuration section.
Google SSO
LILT customers can sign in via their Google account. After being invited to join LILT by someone in your organization, you can create an account using Google Sign-On. Users with existing LILT accounts that use traditional username/password sign in can access their accounts and all their data using Google Sign-On with an email address that matches their existing account. Users may use both sign-in methods interchangeably.OpenID Connect
LILT Platform users can sign in through their organization’s SSO once configured via OpenID Connect (OIDC). OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 framework of specifications (IETF RFC 6749 and 6750). It simplifies the way to verify the identity of users based on the authentication performed by an Authorization Server and to obtain user profile information in an interoperable and REST-like manner. OIDC can be leveraged through many identity providers such as Amazon, Microsoft, Okta, etc.Configuration
- LILT must be registered as a client with your OpenID Connect (OIDC) provider before installation. Client key, secret, and configuration parameters need to be configured during installation. Those parameters will be set by your systems administrator under the front:config:SSO property in the helm values file.
- A LILT installation can support only one OIDC configuration at a time.
- OpenID support has currently been tested with the following two signing algorithms: SHA256 and HS256.
- The integration supports encryption with the OpenID provider via HTTPS but does not additionally encrypt the OpenID payload.
Usage
- After configuration, OIDC authentication can be used to authenticate existing LILT accounts and their data.
- To create new user accounts, users must first be invited by email using the “New member” screen in the LILT Organizations tab. After being invited, new users can sign in using the SSO button on the sign-in page.
- NOTE: Automated user provisioning and de-provisioning is only supported when using WSO2.
WSO2
Configuring WSO2 Identity Server with LILT
This section describes how to configure WSO2 Identity Server for single sign-on (SSO) authentication with LILT.Prerequisites
- WSO2 Identity Server installed and running by running
<install dir>/install_scripts/install-wso2.sh
- Access to WSO2 Identity Server Console with Super Admin privileges — username and password are
admin
by default. - LILT application deployed
Step 1: Configure User Attributes
1.1 Access User Attributes
- Log into the WSO2 Identity Server Console as Super Admin
- Navigate to User Attributes & Stores → Attributes
- Click on Attributes to view and manage user attributes
1.2 Add Custom LILT Attributes
You need to add two critical attributes for LILT integration: Add lilt_role Attribute:- Click New Attribute button
- Configure the attribute:
- Attribute Name:
lilt_role
- Attribute URI:
http://wso2.org/claims/lilt_role
- Protocol Mappings:
- OpenID Connect:
lilt_role
- SCIM 2.0:
urn:scim:schemas:extension:custom:User:lilt_role
- OpenID Connect:
- Attribute Display Name:
LILT Role
- Attribute Name:
- Click Finish to save
- Scroll down on the page and make sure to select
Display
under theAdministrator Console
column for theAttribute Configurations
section
- Click New Attribute button again
- Configure the attribute:
- Attribute Name:
lilt_api
- Attribute URI:
http://wso2.org/claims/lilt_api
- Protocol Mappings:
- OpenID Connect:
lilt_api
- SCIM 2.0:
urn:scim:schemas:extension:custom:User:lilt_api
- OpenID Connect:
- Attribute Display Name:
LILT API
- Attribute Name:
- Click Finish to save
- Scroll down on the page and make sure to select
Display
under theAdministrator Console
column for theAttribute Configurations
section
Step 2: Configure OpenID Connect Scopes
2.1 Access OIDC Scopes Configuration
- Navigate to User Attributes & Stores → Attributes → OpenID Connect -> Scopes
2.2 Add to Roles Scope
- Click Roles to configure the scope
- Click New Attribute
- Choose the
lilt_role
attribute - Click Save
- Click Save Changes
2.3 Add to Profile Scope
- Return to the scopes page from 2.1
- Click Profile to configure the scope
- Click New Attribute
- Choose the
lilt_api
attribute - Click Save
- Click Save Changes
Step 3: Create and Configure the LILT Application
3.1 Create New Application
- Navigate to Applications
- Click New Application
- Select Standard-Based Application
- Choose OAuth2.0/OpenID Connect
- Configure basic settings:
- Name:
LILT
(or your preferred application name) - Description: LILT Application for SSO
- Name:
- Click Register
3.2 Configure Protocol Settings
- In the application configuration, go to the Protocol tab
- Configure the following OAuth/OIDC settings:
- ✓ Code
- ✓ Client Credentials
- ✓ Organization Switch
<your-domain>
with your actual LILT instance domain.
Allowed Origins:
- Select:
JWT
as the Token type
3.3 Configure User Attributes
- Go to the User Attributes tab
- Select the following attributes to be included in the ID token:
- ✓ Groups
- ✓ Profile (Expand to make sure
lilt_api
is included) - ✓ Roles (Expand to make sure
lilt_role
is included)
- Select
Assign alternate subject identifier
- Select
Email
in the dropdown
- Select
3.4 Configure API Authorization
- Go to the API Authorization tab
- Click Authorize an API Resource
- Configure the API authorization:
- API Resource: Select the API resource you need to authorize
- Authorized Scopes: Select appropriate scopes for your implementation
- Authorization Policy: Role Based Access Control (RBAC)
- Click Finish
Step 4: Configure Login Flow
- Go to the Login Flow tab in your application
- Configure the authentication flow based on your requirements:
- Step 1: Sign in with Username & Password
- Email OTP
- Push Notification
- SMS OTP
- TOTP
- Passkey
- Magic Link
Step 5: Configure SSO Settings (Optional)
If you want to integrate with external identity providers:- Navigate to Connections → New Connection
- Select your identity provider type
- Configure the connection settings based on your IdP requirements
- Map the external attributes to WSO2 attributes
Step 6: User Management
Creating New Users
When creating users in WSO2 for LILT access:- Navigate to User Management → Users
- Click Add User
- Fill in required fields:
- Username
- First Name
- Last Name
- Password
- Important: Add the custom attributes:
- lilt_role: Assign appropriate LILT role — this is the displayed text within LILT such as
Administrator
andManager
- lilt_api: API key — this is only required if the user does not already exist in LILT
- lilt_role: Assign appropriate LILT role — this is the displayed text within LILT such as
- Save the user
Modifying Existing Users
For users already in the system:- Navigate to the user profile
- Edit user attributes
- Add the
lilt_role
andlilt_api
attributes if required - Save changes
Tying it to the application
All of the information needed can be found in the Quick Start and Info tabs in the WSO2 application that was just created. The environment variables required are shown below:Testing the Configuration
After completing the configuration:- Navigate to
https://<your-domain>/signin2
- You should be redirected to the WSO2 login page
- Enter credentials for a user with proper
lilt_role
andlilt_api
attributes - Upon successful authentication, you should be redirected back to LILT with proper access
Troubleshooting WSO2 Integration
If users cannot access LILT after authentication:- Verify the lilt_role and lilt_api attributes are properly configured
- Check that redirect URLs match exactly
- Ensure all required scopes are configured
- Verify API authorizations are in place
- Check application logs for specific error messages
Direct Integration
The version 1.20.0 (September 2023) release of LILT Enterprise supports two new kinds of customization of the Single Sign On feature: “custom certs” and “non-standard overrides”. The intent is to expand the environments where SSO can be used. These customizations are discussed in more detail in the following section, where we will reference the configuration shown immediately below. This particular configuration illustrates using custom certificate info, as well as overrides to standard OIDC behaviour, so that login using Active Directory Federation Services (ADFS) on Windows 2016 can be achieved.SSO configuration format changes, starting at version 1.19.0
Changes were made to how the SSO configuration values are specified, starting with version 1.19.0. Note that the “regular” SSO-related configuration values are now specified as environment variables, nested under front.onpremValues.env has shown in this excerpt:SSO TLS customization
Communication from the LILT app to your OIDC IdentityProvider occurs over a connection secured by TLS. For this communication to be successful, certificate information is exchanged and verified. In many environments, this verification can succeed using well-known CertificateAuthority information that is part of the default network stack in nodejs (the platform used to implement the SSO feature). In some environments, it will be necessary to provide additional TLS-related configuration. Support for doing so was added to LILT Enterprise starting at version 1.20.0.singleOidcProviderTlsOptions
Specifically, it is now possible, via thefront.onpremValues.config.singleOidcProviderTlsOptions
object, to provide the following configuration values affecting the TLS communication for calls made from the LILT appserver to your OIDC IdentityProvider:
- ca
- cert
- key
- passphrase
- crl
- pfx
ca
and cert
values, but not the others.
Further instructions for using these configuration values can be found in the comments in the YAML shown at the start of this SSO section.
Using ADFS 2016 in lieu of standard OIDC Identity Provider
Microsoft’s ADFS 2016 does not conform to the OIDC standard when acting as an identity provider. Starting with version 1.20.0, the LILT application can work around this non-conformance, if you leverage two new environment variables, as discussed below.SINGLE_OIDC_PROVIDER_OVERRIDES_RESOURCE_QUERY_PARAM
ADFS 2016 needs an additional “resource” query parameter to be used when calling the OIDC authenticaiton endpoint. Set theSINGLE_OIDC_PROVIDER_OVERRIDES_RESOURCE_QUERY_PARAM
as shown in the YAML at the start of this SSO documentation (above).
SINGLE_OIDC_PROVIDER_OVERRIDES_IDTOKEN_CLAIM_NAME_FOR_LILT_EMAIL_ADDRESS
ADFS 2016 does not include the expectedemail
property in the response from the Userinfo OIDC endpoint. As a workaround, you can adjust the settings in ADFS 2016 to provide the user’s email address as the value of a claim in the ID_TOKEN. Use the SINGLE_OIDC_PROVIDER_OVERRIDES_IDTOKEN_CLAIM_NAME_FOR_LILT_EMAIL_ADDRESS
setting as shown in the YAML at the start of this SSO documentation (above) to tell your LILT installation which claim in the ID_TOKEN will contain the email address.
The following articles might be helpful when attempting to configure ADFS to provide an email address via an ID_TOKEN claim:
Blog Michael Boeynaems
OIDC configuration with AD FS | Qlik Sense for administrators Help
Note that in the example shown above (and excerpted again below), the upn
property in the IdToken is being leveraged, but it may or may not correspond to an email address used by your users. It likely is in the same format as an email address, and uniquely identifies a user in your IdentityProvider, and so may be suitable for using in this way if it is not possible to provide an email address via a property in the IdToken.
SSO Troubleshooting
Communication paths
The OpenIDConnect (OIDC) standard used in the implementation of SSO in LILT Enterprise depends on two communication paths being open and configured properly:- the path from user’s browser to the OIDC IdentityProvider
- the path from the LILT app-server (front pod in the Kubernetes cluster) to the OIDC IdentityProvider
Deleting session information
When troubleshooting the SSO configuration, it may be helpful to delete session information stored in the browser for both the LILT app and your OIDC IdentityProvider. To delete session information for the LILT app, load the/signin
page of the LILT app, and use your browser’s tools to delete the cookies and storage associated with the LILT app domain name.
To delete session information associated with your OIDC IdentityProvider, load the “…well-known…” configuration page (e.g., “https://YOUR_IDP_DOMAIN_NAME/adfs/.well-known/openid-configuration”) in the browser, and use your browser’s tools to delete the cookies and storage associated with your IdentityProvider.
Note that if you do not delete the session info associated with your OIDC IdentityProvider, when you click on “Sign in with SSO” it may skip taking you to the IdentityProvider’s login screen to type in password information; instead, it will re-use the previous successful login session, if any.
Configuration to TEMPORARILY enable debug logging for SSO
The following configuration will cause details about the HTTP/TLS communication with the OIDC identity provider to be included in the front pod logs. PLEASE BE CAREFUL USING THESE OPTIONS. This extra logging should not be enabled for production use.DEBUG
setting shown, but leave out the one for NODE_DEBUG
.