Configure OAuth Clients
Get started with OAuth client configuration to enable security integration with other systems or 3rd parties in your IT landscape
Objective
Manhattan Active® Platform Access Management has administrative screens that manage various aspects of security, including authentication, login modes, and OAuth client setup.
Documents that describe OAuth client setup for external integration are based on the version of Access Management.
Identifying Access Management Version
You can identify the version of Access Management based on its URL.
When you enter the environment hostname or the Access Management hostname as the address in your browser, you will be redirected to the login page of the Access Management server.
https://<unique_id>.<domain_name> (environment hostname)https://<unique_id>-auth.<domain_name> (Access Management hostname)
The URL of the login page may be used to identify the version of Access Management -
1 - Access Management 1.0
Use Access Management 1.0 to configure OAuth clients for integration with other systems or 3rd parties in your IT landscape
Objective
Manhattan Active® Platform Auth Server has an administrative user interface to configure or modify several security aspects, such as the authentication and login modes and OAuth client setup. This document describes how to set up OAuth clients for external integration and calling the REST API.
Before You Begin
You will need access to the Manhattan Active® Platform application and a System Administrator role to configure security properties in the Auth Server user interface.
To access the administration UI, go to your Auth Server URL (https://<unique_id>-auth.<domain_name>). After you log in, you should see the Administration option as a button that you can use to navigate to the administration UI:
The admin panel is accessible only to the users with the System Administrator role.
Clicking on the “OAuth Clients” option in the menu will take you to the UI to manage the configuration for OAuth Clients.
The UI has two sections in it:
- Custom clients: includes the clients that are created by users. These clients can be edited and deleted.
- Default clients: pre-configured clients. These cannot be edited but cloned.
Steps
- Go to Custom clients tab and click on the Add button
- Add client details like Client Id and Client secret. The value of the Client secret will be encoded and stored. Optionally, you can set the value of Access token validity and Refresh token validity. Select appropriate Scopes and Grants for this client. For each Scope selected, you have the option if you’d like to auto-approve the requests. You can add one or more Redirect URIs and Resource Ids to this client.
- Hit the Save button, and this creates a new client.
Learn More
Author
- Shipra Choudhary: Senior Software Engineer, Security, Manhattan Active® Platform, R&D.
2 - Access Management 2.0
Use Access Management 2.0 to configure OAuth clients for integration with other systems or 3rd parties in your IT landscape
Objective
Manhattan Active® Platform Access Management 2.0 has an administrative user interface to configure or modify several security aspects, such as the authentication and OAuth client setup. This document describes how you can set up OAuth 2.0 clients for external integration and for calling the REST API.
Before You Begin
You will need access to the Manhattan Active® Platform application and a Maactive System Administrator role to configure security properties in the Access Management 2.0 administration user interface.
To access the administration UI, go to your Access Management 2.0 URL (https://<unique_id>-auth.<domain_name>/auth/admin/maactive/console/). After you log in, administration UI will look something like this:
The panel is accessible only to the users with the Maactive System Administrator role.
Managing OpenID Connect clients
Clients are entities that request authentication on behalf of a user. Clients come in two forms. The first type of client is an application that wants to participate in a Single Sign On. These clients are only looking for security from Access Management 2.0. The other type of client is one that requests an access token so that it can invoke other services on behalf of the authenticated user.
Steps
Let’s see how you can create a new OpenID Connect client.
Under the Manage menu, click on Clients.
Click on Create client.
Under General Settings, leave the Client type set to OpenID Connect
Enter a Client ID
This is an alphanumeric string that specifies ID reference in URI and tokens.
Enter a Name for this client.
Specify the display name of this client.
You can optionally give a description of this client in the Description field.
Click on Save. This action will create a client for you.
Next, under Capability config, we have a toggle button to enable/disable Client authentication. This setting depends on the type of OIDC you would like to create.
Select ON if - the server-side clients perform browser logins and require client secrets when requesting for Access Token.
Select OFF if - the client-side clients perform browser logins where secrets cannot be kept safe.
Enable/Disable the Authorization button for fine-grained authorization for clients.
Select Authentication flow as needed. Default ones are already enabled.
Click on Next.
Enter the Valid redirect URIs as needed.
This is the place where the browser redirects after a successful login.
You will be redirected to the basic client configuration page. You can review or modify any other details needed on this page.
In case the Client Authentication was set to true in step 8, you will see a Credentials tab. Click on it. Make note of the Client Secret to be used during the authentication of this created client against Access Management 2.0.
Learn More
Author
- Shipra Choudhary: Senior Software Engineer, Security, Manhattan Active® Platform, R&D.