Configurations

Beginning in Launcher 3.x, the configurations for the authentication providers have been moved out of the settings object into their own separate objects under the root configuration. If you are using Launcher 3.x, the following should be used when configuring the authentication providers:

LDAP

Field	Description
hostname	string Hostname of the LDAP server.
port	integer Port of the LDAP server.
domain	string The domain of the user when logging in (i.e. `"@BLUEFLETCH"`).
rootDN	string The Root DN of where the users can be searched after authentication (e.g. `"DC=BLUEFLETCH,DC=com"`).
useHttps	boolean Set to true to use LDAPS when authenticating via HTTPS.

Example:

...
"auth_ldap": {
    "hostname" : "ldapserver.bluefletch.com",
    "port" : 636,
    "domain" : "@BLUEFLETCH",
    "rootDN" : "DC=BLUEFLETCH,DC=com",
    "useHttps" : true
}
...

Okta/OneLogin (PKCE flow)

Field	Description
issuer_uri	string The configured issuer URI for the identity provider.
client_id	string The configured client ID for this application.
redirect_uri	string The configured redirect callback URI for this application.
scopes	string The scopes where this authentication applies.
force_logout	string This allows for overriding the default logout End Session URL. This is required for OneLogin.

The following fields will still need to be configured under the settings object when using the Okta Auth Provider:

Field	Description
auth_location_field	string An optional setting that tells authorization which field in the auth provider response contains location information. Used in conjunction with `auth_location_regex`.
auth_location_regex	string A regular expression to extract the location value from the location field. Used in conjunction with `auth_location_field`.
auth_group_field	string An optional setting that tells authorization which field in the authentication provider response contains group information. Used in conjunction with `auth_group_regex`.
auth_group_regex	string A regular expression to match against the group information. Used in conjunction with `auth_group_field`.
auth_group_regex_true	string If the regular expression `auth_group_regex` returns `true` (found a value), will use this group value.
auth_default_group	string A default group.
auth_role_field	string An optional setting that tells authorization which field in the authentication provider response contains user role information. Used in conjunction with `auth_role_regex`. Available in Auth 1.1.x.
auth_role_regex	string A regular expression to match against the role information. Used in conjunction with `auth_role_field`.
auth_role_regex_true	string If the regular expression `auth_role_regex` returns `true` (found a value), will use this role value.
auth_default_role	string A default user role.

Example:

...
"auth_okta": {
    "issuer_uri" : "https://dev.oktapreview.com",
    "client_id" : "0o5o9hn89wN4AAhhJ0h7",
    "redirect_uri" : "com.bluefletch.launcher:/callback",
    "scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
},
"settings" : {
    ...
    "auth_default_group" : "Associates",
    "auth_group_field" : "title",
    "auth_group_regex" : "(?i)leader$",
    "auth_group_regex_true" : "Managers",
    "auth_location_field" : "custom_fields.deptnum",
    "auth_location_regex" : "(\\d+)",
    ...
}
...

Beginning in Auth 4.x, Okta authentication will be configured with the auth_oauth2 object instead of the auth_okta object, as in this example:

"auth_oauth2": {
        "issuer_url": "https://dev.oktapreview.com",
        "client_id": "0o5o9hn89wN4AAhhJ0h7",
        "redirect_url": "com.bluefletch.ems.auth://callback",
        "browser": "com.bluefletch.ems.browser",
        "scopes": "openid profile offline_access groups",
        "logout_redirect": "com.bluefletch.ems.auth://logout"
    },

For more information on the properties for configuring, see the AppAuth/OIDC IDP section.

AppAuth/OIDC IDP

Beginning in Auth 4.x, the AppAuth/Generic OAuth2 configuration will support login through the BlueFletch Browser, as well as Chrome Custom Tabs. The authenticating browser is defined by the browser value.

Field	Description
issuer_url	string The configured issuer URL for the identity provider.
client_id	string The configured client ID for this application.
redirect_url	string The configured redirect callback URL for this application. The recommended callback URL is `"com.bluefletch.launcher:/callback"`. However, if the identity provider only supports HTTPS redirect URLs, use `"https://ems-launcher-auth-release.firebaseapp.com/oauth2redirect"`.
scopes	string The OpenID scope values required for the identity provider.
baseUrl	string Base URL for the identity provider.
authorize_url	string The full URL for the `authorize` endpoint for the identity provider.
token_url	string The full URL for the `token` endpoint for the identity provider.
logout_url	string The full URL for the `logout` endpoint for the identity provider.
logout_redirect	string The full URL for the logout redirection location for your IDP. Default is `"com.bluefletch.ems.auth://logout"`.
userinfo_url	string The full URL of the `userInfo` endpoint for the identity provider.
resource	string Specifies the host to access for a token during login when the IDP does not provide it through `userinfo_url`. Used in Azure AD authentication (e.g `"https://graph.microsoft.com"`).
login_hint	string Hint to be displayed for the username field on the identity provider login page.
ignoreExpiresIn	boolean If `true`, instructs the launcher to refresh the token based on the `refreshThresholdInMins` value instead of the expiration indicated in the token.
browser	string Specifies the browser package name to execute the `authorize` call. Default is `"com.android.chrome"`.
refreshThresholdInMins	integer The number of minutes after which the launcher will automatically refresh the token if `ignoreExpiresIn` is set to `true`.
auth_location_field	string An optional setting that tells authorization which field in the auth provider response contains location information. Used in conjunction with `auth_location_regex`.
auth_location_regex	string A regular expression to extract the location value from the location field. Used in conjunction with `auth_location_field`.
auth_group_field	string An optional setting that tells authorization which field in the authentication provider response contains group information. Used in conjunction with `auth_group_regex`.
auth_group_regex	string A regular expression to match against the group information. Used in conjunction with `auth_group_field`.
auth_group_regex_true	string If the regular expression `auth_group_regex` returns `true` (found a value), will use this group value.
auth_default_group	string A default group.
auth_role_field	string An optional setting that tells authorization which field in the authentication provider response contains user role information. Used in conjunction with `auth_role_regex`. Available in Auth 1.1.x.
auth_role_regex	string A regular expression to match against the role information. Used in conjunction with `auth_role_field`.
auth_role_regex_true	string If the regular expression `auth_role_regex` returns `true` (found a value), will use this role value.
auth_default_role	string A default user role.
claim_userId	string The claim in the access token that contains the user ID of the logged-in user.
claim_username	string The claim in the access token that contains the display name of the logged-in user.
claim_groups	string The claim in the access token that contains the logged-in user's membership groups.
userinfo_attrs	string A comma-delineated list of names indicating the field names within the `userInfo` response that should be copied into the session extended attributes collection. This provides the ability to get optional data points.

Example:

...
  "auth_oauth2": {
    "client_id": "com.bluefletch.ems.auth",
    "redirect_url": "com.bluefletch.launcher:/callback",
    "baseUrl": "https://oauth2server.bluefletch.com",
    "authorize_url": "https://oauth2server.bluefletch.com/oauth2/authorize",
    "token_url": "https://oauth2server.bluefletch.com/oauth2/token",
    "userinfo_url": "https://oauth2server.bluefletch.com/oauth2/userinfo",
    "logout_url": "https://oauth2server.bluefletch.com/oauth2/logout",
    "scopes": "openid profile offline_access groups",
    "claim_userId": "upn",
    "claim_username": "commonname",
    "claim_groups": "memberof",
    "browser": "com.bluefletch.ems.browser"
}
...

MSAL for Azure AD

Field	Description
client_id	string The client ID used to register this application.
authorization_user_agent	string Set to `"DEFAULT"`.
redirect_uri	string The configured redirect callback URI for this application. For the MSAL library, the redirect must use the application ID and its signature. Use `"msauth://com.bluefletch.ems.auth.msal/KUKEusfKtqAOu9UB6jgjtTMKYas="`.
broker_redirect_uri_registered	boolean Set to `true` if using the Microsoft Authenticator application in Shared Device Mode on the device. Default is `false`.
authority_type	string Set to `"AAD"` for Azure AD.
authority_url	string The directory from which MSAL can request tokens. Typically, set to `"https://login.microsoftonline.com/<tenant_id>"`, where `<tenant_id>` is the Azure Tenant ID.
tenant_id	string Set to the Azure Tenant ID.
logout_url	string Set to `"https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout"`, which will also log the user out of office365.
limit_to_launcher_groups	boolean If set to `true`, only the groups identified in the `group_inclusion` and `layouts` in the launcher configuration file will be passed into the session.

Example:

...
"auth_msal" : {
    "client_id" : "<client_id during registration>",
    "authorization_user_agent" : "DEFAULT",
    "redirect_uri" : "msauth://com.bluefletch.ems.auth.msal/KUKEusfKtqAOu9UB6jgjtTMKYas=",
    "authority_type" : "AAD",
    "authority_url" : "https://login.microsoftonline.com/<tenant_id>",
    "tenant_id" : "<tenant_id>",
    "logout_url" : "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
    "limit_to_launcher_groups" : true
}
...

Beginning in Auth 4.3.x, Azure AD authentication will be configured with the auth_oauth2 object instead of the auth_msal object, as in this example:

...
"auth_oauth2": {
    "client_id": "01cceca8-d87b-11ec-9d64-0242ac120002",
    "redirect_url": "msauth://com.bluefletch.ems.auth/K8s43sSfptA3T2LoAlTd9XEfKQg=",
    "baseUrl": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002",
    "authorize_url": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002/oauth2/authorize",
    "token_url": "https://login.microsoftonline.com/469a2de6-d87b-11ec-9d64-0242ac120002/oauth2/token",
    "scopes": "openid profile email User.Read GroupMember.Read.All https://graph.microsoft.com",
    "resource" : "https://graph.microsoft.com",
    "userinfo_url": "https://graph.microsoft.com/v1.0/me/memberOf",
    "claim_userId": "upn",
    "claim_username": "name",
    "claim_groups": "memberOf"
}
...

For more information on configuring, see the AppAuth/OIDC IDP section.

ADFS 3.0/2012 Using ADAL library

Field	Description
authority	string Configured resource ID for this application.
resourceId	string Configured resource ID for this application.
clientId	string Configured client ID for this application.
redirectUri	string Configured callback URL for this application
defaultDomain	string Pre-populates the username field with the domain prefix (optional).
claim_userId	string Passthrough field containing the userID (e.g. `"unique_name"`).
claim_username	string LDAP passthrough field containing the user's display name.
claim_groups	string LDAP passthrough field containing the groups (e.g. equivalent to MemberOf).
baseUrl	string The base URL for the ADFS environment.

Example:

...
"auth_adal" : {
    "baseUrl" : "https://adfs2012.bluefletch.com",
    "authority" : "https://adfs2012.bluefletch.com/adfs/oauth2",
    "clientId" : "com.bluefletch.ems.auth",
    "resourceId" : "com.bluefletch.ems.auth",
    "redirectUri" : "com.bluefletch.launcher:/callback",
    "defaultDomain" : "BLUEFLETCH\\",
    "claim_userId" : "upn",
    "claim_username" : "commonname",
    "claim_groups" : "MemberOf"
}
...

Okta (Resource Owner Flow)

Field	Description
issuer_uri	string The configured Issuer URI for the identity provider.
client_id	string The configured client ID for this application.
client_secret	string The configured client secret for this application.
redirect_uri	string The configured redirect callback URI for this application.
scopes	string The scopes where this authentication applies.

Example:

...
"auth_oktaRest": {
    "issuer_uri" : "https://dev.oktapreview.com",
    "client_id" : "0o5o9hn89wN4AAhhJ0h7",
    "client_secret" : "A8300hhnadf84993225160kjfdB",
    "redirect_uri" : "com.bluefletch.launcher:/callback",
    "scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
}
...