Authentication
A typical smart desktop contains many different apps from various vendors. Many of these vendors require authentication. But authenticating each app separately is annoying to the user. To solve this problem, single sign-on (SSO) authentication allows the user to sign in once, and from then on all the apps authenticate through SSO without a user having to do anything.
For the SSO authentication to work with Finsemble, you must already have an OAuth provider.
To configure OAuth2 settings for your smart desktop, you must first create an app on the authentication provider. Each provider is a little different, but in general you need to specify some settings and then create or register a new app. Follow the instructions for your specific provider.
Finsemble provides built-in support for SSO authentication via Google and Salesforce. You can also configure it to connect to other OAuth2-capable authentication providers, such as Keycloak, or to your in-house identity provider. Here's a list of popular OAuth providers. Finsenble can connect to them, but we don't recommend one over another.
To configure authentication on the smart desktop:
- Pick the provider from the dropdown to configure it.
- When setting up an OAuth2 app, your authentication provider will require the Redirect URL supplied by Finsemble. Copy the redirect URL from the Finsemble Redirect URL field into the OAuth2 app configuration for your service provider.
- Your authentication provider generates a unique Client ID. Copy this ID from the OAuth2 service provider into the Finsemble Client ID field.
- When you're done, save the authentication configuration by clicking the Test and save button.
Under the Advanced portion of the screen you have a few more options to configure if you want. You can control the access that your app can have to a protected resource such as a username or picture. If your app needs this access, specify the Scope parameter. By default, we specify it as openid, but it is a best practice to use the most restrictive scope possible. If you don't need to use this parameter, leave it blank.
Another option is to specify whether to use the Require nonce parameter. When you set this parameter to true, Finsemble generates a random string that allows the OAuth server to verify that the app has never made a request to the OAuth server before. This way, the server can detect replay attacks. Not all providers support the nonce parameter, so verify that yours does before you set it.
Finsemble doesn't support Proof Key for Code Exchange (PKCE).
There is more to configuring SSO than we can do in SDD. For example, in an enterprise you need to consider redundancy. Finsemble desktop configured to hit an SSO endpoint that is down will not be able to get past the login prompt on startup, nor will applications be able to launch and authenticate. For more info, see the Finsemble Single Sign-on whitepaper.
See also
Introduction to Smart Desktop Designer
Build your smart desktop with me