Configurations

Beginning Launcher 3.x, the configuration for the auth providers have been moved out of the Settings into their own separate objects under the root configuration. If you are using Launcher 3.x, the following should be used when configuring the Auth providers:

LDAP

Field Description
hostname string Hostname of the LDAP server
port integer Port of the LDAP server
domain string The domain of the user when logging in, i.e. @BLUEFLETCH
rootDN string The Root DN of where the users can be searched after authentication, e.g. "DC=BLUEFLETCH,DC=com",
useHttps boolean Set to true to use LDAPS when authenticating via HTTPS

Example:

...
"auth_ldap": {
    "hostname" : "ldapserver.bluefletch.com",
    "port" : 636,
    "domain" : "@BLUEFLETCH",
    "rootDN" : "DC=BLUEFLETCH,DC=com",
    "useHttps" : true
}
...

Okta/OneLogin (PKCE flow)

Field Description
issuer_uri string The configured Issuer URI for the identity provider
client_id string The configured client ID for this application
redirect_uri string The configured redirect callback URI for this application
scopes string The scopes where this authentication applies
force_logout string This allows for overriding the default logout End Session URL. This is required for OneLogin

The following fields will still need to be configured under the settings object when using the Okta Auth Provider:

Field Description
auth_location_field string An optional setting that tells authorization which field in the auth provider response contains Location information. Used in conjunction with auth_location_regex.
auth_location_regex string A regular expression to extract the location value from the location field. Used in conjunction with auth_location_field
auth_group_field string An optional setting that tells authorization which field in the auth provider response contains Group information. Used in conjunction with auth_group_regex.
auth_group_regex string A regular expression to match against the group information.
auth_group_regex_true string If the regular expression auth_group_regex returns true (found a value), will use this group value.
auth_default_group string A default group
auth_role_field string An optional setting that tells authorization which field in the auth provider response contains User ROLE information. Used in conjunction with auth_role_regex. Available AUTH 1.1.x
auth_role_regex string A regular expression to match against the role information
auth_role_regex_true string If the regular expression auth_role_regex returns true (found a value), will use this Role value.
auth_default_role string A default user role

Example:

...
"auth_okta": {
    "issuer_uri" : "https://dev.oktapreview.com",
    "client_id" : "0o5o9hn89wN4AAhhJ0h7",
    "redirect_uri" : "com.bluefletch.launcher:/callback",
    "scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
},
"settings" : {
    ...
    "auth_default_group" : "Associates",
    "auth_group_field" : "title",
    "auth_group_regex" : "(?i)leader$",
    "auth_group_regex_true" : "Managers",
    "auth_location_field" : "custom_fields.deptnum",
    "auth_location_regex" : "(\\d+)",
    ...
}
...

AppAuth/Generic OAuth2

Field Description
client_id string The configured client ID for this application
redirect_uri string The configured redirect callback URI for this application. The recommended callback URL is com.bluefletch.launcher:/callback, however if your identity provider only supports https redirect URLs, you can use https://ems-launcher-auth-release.firebaseapp.com/oauth2redirect
baseUrl string Base URL for your identity provider
authorize_url string The full URL for the authorize endpoint for your IDP.
token_url Tstring he full URL for the token endpoint for your IDP.
logout_url string The full URL for the logout endpoint for your IDP.
claim_userId string The claim in the Access Token that contains the userId of the logged in user.
claim_username string The claim in the Access Token that contains the display name of the logged in user.
claim_groups string The claim in the Access Token that contains the groups that the logged in user is a member of.

Example:

...
"auth_oauth2": {
        "client_id" : "com.bluefletch.ems.auth",
        "redirect_url" : "com.bluefletch.launcher:/callback",
        "baseUrl" : "https://oauth2server.bluefletch.com",
        "authorize_url" : "https://oauth2server.bluefletch.com/oauth2/authorize",
        "token_url" : "https://oauth2server.bluefletch.com/oauth2/token",
        "logout_url" : "https://oauth2server.bluefletch.com/oauth2/logout",
        "claim_userId" : "upn",
        "claim_username" : "commonname",
        "claim_groups" : "memberof"
}
...

MSAL for Azure AD

Field Description
client_id string The client ID used to register this application
authorization_user_agent string set to 'DEFAULT'
redirect_uri string The configured redirect callback URI for this application. For the MSAL library, the redirect must use the application ID and it's signature. Use msauth://com.bluefletch.ems.auth.msal/KUKEusfKtqAOu9UB6jgjtTMKYas=
authority_type string set to 'AAD' for Azure AD
authority_url string set to "https://login.microsoftonline.com/" where tenant_id is your Azure Tenant ID.
tenant_id string set to your Azure Tenant ID
logout_url string set to "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout", which will also log you out of office365.
limit_to_launcher_groups boolean if set to true, only the groups identified in the group_inclusion and layouts in the launcher configuration file will be passed into the session.

Example:

...
"auth_msal" : {
    "client_id" : "<client_id during registration>",
    "authorization_user_agent" : "DEFAULT",
    "redirect_uri" : "msauth://com.bluefletch.ems.auth.msal/KUKEusfKtqAOu9UB6jgjtTMKYas=",
    "authority_type" : "AAD",
    "authority_url" : "https://login.microsoftonline.com/<tenant_id>",
    "tenant_id" : "<tenant_id>",
    "logout_url" : "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fwww.office.com%2F%3Fref%3Dlogout",
    "limit_to_launcher_groups" : true
}
...

ADFS 3.0/2012 Using ADAL library

Field Description
authority string Configured resource ID for this application
resourceId string Configured resource ID for this application
clientId string Configured Client ID for this application
redirectUri string Configured callback URL for this application
defaultDomain string optional, to pre-populate the username field with the domain prefix.
claim_userId string Passthrough field containing the userID (e.g. unique_name)
claim_username string LDAP passthrough field containing the user's display name
claim_groups string LDAP passthrough field containing the groups (e.g. equivalent to MemberOf)
baseUrl string The base url for the ADFS environment

Example:

...
"auth_adal" : {
    "baseUrl" : "https://adfs2012.bluefletch.com",
    "authority" : "https://adfs2012.bluefletch.com/adfs/oauth2",
    "clientId" : "com.bluefletch.ems.auth",
    "resourceId" : "com.bluefletch.ems.auth",
    "redirectUri" : "com.bluefletch.launcher:/callback",
    "defaultDomain" : "BLUEFLETCH\\",
    "claim_userId" : "upn",
    "claim_username" : "commonname",
    "claim_groups" : "MemberOf"
}
...

Okta (Resource Owner Flow)

Field Description
issuer_uri string The configured Issuer URI for the identity provider
client_id string The configured client ID for this application
client_secret string The configured client secret for this application
redirect_uri string The configured redirect callback URI for this application
scopes string The scopes where this authentication applies

Example:

...
"auth_oktaRest": {
    "issuer_uri" : "https://dev.oktapreview.com",
    "client_id" : "0o5o9hn89wN4AAhhJ0h7",
    "client_secret" : "A8300hhnadf84993225160kjfdB",
    "redirect_uri" : "com.bluefletch.launcher:/callback",
    "scopes" : "[\"openid\", \"profile\", \"offline_access\", \"groups\"]"
}
...