Instructions for configuring Single Sign-On (SSO) login to the lab database with identity providers such as Microsoft Entra ID / Azure AD, Okta, Keycloak, Google,... via OAuth.
Important: When activating SSO, please ensure that there is at least one account with the necessary permissions to modify the SSO settings. Additionally, make sure these users can log in without SSO (using MFA).
Login with Single Sign-On (SSO) is part of the laboratory database Enterprise Cloud and can be activated in the system settings under the following link:
https://labordatenbank.com/demo/configs/index/login
To enable SSO in the lab database, you need an
OAuth Client ID and an
OAuth Client Secret from your identity provider (e.g. Microsoft Azure AD, Okta, Google, ...), which you can generate there for the lab database.
Now you need to deposit the OAuth redirect link from the lab database
https://labordatenbank.com/demo/employees/dooauth on the authentication server from your identity provider.
We demonstrate this below using
Microsoft Azure AD, but other SSO providers are also possible that enable logon with OAuth 2.0.
In the Azure management layer you can enter the lab database redirect link, this will be displayed to you in the lab database system settings and is specific to the instance, you can also store multiple instance links with your identity provider, for example one link to your lab database production system and one link to your lab database test system.
After adding it, the next thing you need to do is to create a new Client Secret and define the validity period.
Important!: Keep an eye on the validity period, if the period expires, users will no longer be able to log in to the laboratory database (you can also create a task in the laboratory database for this purpose).
The
OAuth Client ID and the
OAuth Client Secret are now entered in the Labordatenbank.
Now the users of the laboratory database can log in to the laboratory database with their SSO account.
When logging into the laboratory database with SSO for the first time, the user may be prompted to send a query for approval to the admin. After sending the query, the admin of the SSO system will be informed about the login attempt and will have to approve the login to the lab database once.
Users who do not have an SSO account can be removed from the SSO login with a checkbox. This gives them the option, in addition to SSO, of logging into the laboratory database as normal with a password and, if necessary, 2FA.
F&Q zu SSO
Question: Which identity providers are supported by the lab database?
Answer: We support most OAuth 2.0 providers like Microsoft Entra ID / Azure AD, Okta, Keycloak, Google,...
Question: does the lab database use AD groups, or is it just about authentication?
Answer: The lab database uses SSO for login (authentication) only.
Question: What parameters are needed for the setup?
Answer:
1) Identity provider name (e.g. Microsoft Azure AD).
2) OAuth Client ID
3) OAuth Client Secret
Question: Is there a test instance where the setup can be tested in advance?
Ans: Yes, SSO login can be tested in advance on your lab database test system.
Question: What protocols does the lab database SSO system support?
Answer: OAuth 2.0
