Architecture : User Guideline for configuring Single Sign On (SSO) for OpenBOM Web Application

General

  1. The customer must have a paid Company subscription.

  2. SSO feature enabled by OpenBOM admin in the OpenBOM admin dashboard for company.

  3. The SSO functionality applies only to the Web application, Workspace Manager, and SOLIDWORKS integrations. Other integrations and Drive applications are not supported yet.

  4. User accounts must exist in BOTH OpenBOM Team account dashboard AND Azure Ad, or Okta (depends of SSO provider)

  5. Questions or issues should be reported to OpenBOM support via the in-app Support button or sending email to support@openbom.com

Before starting the integration process, you should have an OpenBOM Company subscription, and you must have requested SSO function to be activated for your company.

You can use only one (single sign-on) SSO provider at a time.

Integrating with Microsoft Azure AD (Microsoft Entra ID)

Register OpenBOM application in Azure AD (Microsoft Entra ID)

  1. Sign in to the Microsoft Azure portal. Click the menu icon at the top left corner to open the left side navigation pane.

  2. Select Microsoft Entra ID in the navigation pane.

  3. Select App registrations in the new navigation pane that opens on the left.

  4. Add new registartion of application by clicking Add → App registration.

  5. Register new application
    Set name to OpenBom, select Redirect URL to Web and set value to https://login.openbom.com/oauth2/v1/authorize/callback, and click Register.

  6. On the opened papge with registered application save values of Application (client) ID and Directory (tenant) ID.

  7. Select Certificates & secrets in the navigation pane to add Client Secret, and click New client secret.

  8. Add Client secret.

  9. Save value of added Client Secret.

  10. To allow users synchronization between Azure AD and OpenBOM, open API permissions in the navigation pane and add a pemission User.Read.All. OpenBom is uses only fields mail and accountEnabled from User profile in Azure AD.

Configuration in OpenBOM

  1. Login as Company admin from your company to OpenBOM: https://bom.openbom.com/sign-in.

  2. Open Company Administrator page.

  3. Company admin now has additional row Single Sign On. Click Configure SSO button.

    image-20240104-143829.png
  4. Enter values saved on the Step 6 and Step 9 of Azure configuration, and save configuration. Additionally put name of your company to Company name field.

    image-20240301-143214.png

  5. Copy Login URL for your company where you will have possibility to login with Single Sign On.

    image-20240104-143851.png
  6. Logout from OpenBOM and open Login URL from previous step. Example of link:
    https://bom.openbom.com/sign-in?company=946cef84-5e84-3bd3-6cef-120e843bd356

  7. Now you should see your company name and also Microsoft button to Single Sign On. Click on it to sign-in with Microsoft account from your Azure AD.

image-20240301-143412.png

Integrating with Okta

Create OpenBOM application in Okta

  1. Sign in to your Okta dashboard. Go to ApplicationsApplications. Click Create App Integration

image-20240301-153314.png
  1. Select OIDC Sign-in method and Web application Application type

image-20240301-131741.png
  1. On the configuration page:

    1. Put value https://login.openbom.com/oauth2/v1/authorize/callback to Sign-in redirect URIs.

    2. Put value https://bom.openbom.com to Sign-out redirect URIs.

    3. Additionally, select assignment mode for application.

    4. Click Save.

  2. On the General tab of create application copy value of Client ID and Client Secret

image-20240301-141319.png
  1. Additionally get your Okta issuer URL like: http://dev-12345678.okta.com. It will be used in the configuration in OpenBOM.

  2. In case you need to synchronize users' status between your Okta and OpenBOM - additionally should be generated API key (this is optional). Go to Security API page. Click Click Create token.

Token should be generated under user with required permissions to access users who will use OpenBOM. OpenBOM is taking only users emails and users' status from customer Okta, no other information is taken.

image-20240301-151057.png
  1. Enter name for token and click Create token

image-20240301-143806.png
  1. Save the value of the token, it will be used for the configuration of SSO in OpenBOM.

    image-20240301-145438.png

Configuration in OpenBOM

  1. Login as Company admin from your company to OpenBOM: https://bom.openbom.com/sign-in.

  2. Open Company Administrator page.

  3. Company admin now has additional row Single Sign On. Click Configure SSO button.

    image-20240104-143829.png
  4. Enter values saved on the Step 4 and Step 8 of Okta configuration, and save configuration. Additionally put name of your company to Company name field.

    image-20240301-145941.png

  5. Copy Login URL for your company where you will have the possibility to login with Single Sign On.

    image-20240104-143851.png
  6. Logout from OpenBOM and open Login URL from the previous step. Example of link:
    https://bom.openbom.com/sign-in?company=946cef84-5e84-3bd3-6cef-120e843bd356

  7. Now you should see your company name and also Okta button to Single Sign On. Click on it to sign-in with your Okta account.

image-20240301-151546.png

Additional features available in SSO configuration

In Configure SSO page it can be found additional options for SSO configuration: disable password for users, and configure auto-sync for users status..

image-20240301-151800.png

Disable OpenBOM password sign in for users

In case this flag is selected and the configuration saved - we disable users in the company login with their passwords created in OpenBOM (except OpenBOM company administrator). We delete passwords for users in the company, and users will able login to OpenBOM only using company SSO provider (Azure AD or Okta). Company admin still will be able to log i from the URL for admins, URL for admin will be provided in configuration once the flag is enabled. Users will not be able to reset their password if the password is disabled. Once this flag is checked out and the configuration saved - users will be able to reset their password and login to OpenBOM using a newly created password by them.

image-20240301-151948.png

In case password is disabled for the company, users will see next sign-in company page:

image-20240301-152225.png

Company admin will still be able to login with password using page for admin sign-in:

image-20240301-152255.png

Users auto-sync

In case Users auto-sync flag is enabled, the company admin can select how often synchronization will be done. We have 3 options:

  • every 15 minutes (at 0, 15, 30, and 45 minutes every hour);

  • every 30 minutes (at 0, and 30 minutes every hour);

  • every 1 hour (at 0 minutes every hour).

image-20240301-152516.png

Company admin can do this operation manually in Company dashboard in OpenBOM.

During synchronization users not present or disabled in Azure AD or Okta will be disabled in OpenBOM. Users that were present in OpenBOM and were added to Azure AD or Okta after that, will be enabled in OpenBOM.

For new accounts in OpenBOM - company admin for now should create an account in OpenBOM manually within this release of SSO. This means that if an administrator adds a user to Azure AD or Okta, he must also add the user to the OpenBOM team.

Attachments:

image-20231031-221221.png (image/png)
image-20231031-213731.png (image/png)
image-20231031-221420.png (image/png)
image-20231031-221859.png (image/png)
image-20231127-002240.png (image/png)
image-20231127-002355.png (image/png)
image-20231127-002522.png (image/png)
image-20231129-140535.png (image/png)
image-20231129-140759.png (image/png)
image-20231129-140803.png (image/png)
image-20231129-140948.png (image/png)
image-20231129-141024.png (image/png)
image-20231129-141204.png (image/png)
image-20231129-143421.png (image/png)
image-20231129-143551.png (image/png)
image-20231129-143823.png (image/png)
image-20231129-143904.png (image/png)
image-20231129-144105.png (image/png)
image-20231129-144951.png (image/png)
image-20231129-151203.png (image/png)
image-20231129-151551.png (image/png)
image-20231129-151654.png (image/png)
image-20231129-151841.png (image/png)
image-20231130-174305.png (image/png)
image-20231130-174318.png (image/png)
image-20231201-143426.png (image/png)
image-20231204-224845.png (image/png)
image-20231204-225718.png (image/png)
image-20231204-231023.png (image/png)
image-20231212-235456.png (image/png)
image-20231212-235606.png (image/png)
image-20231218-201656.png (image/png)
image-20231218-201733.png (image/png)
image-20231218-201756.png (image/png)
image-20231218-201838.png (image/png)
image-20231218-201923.png (image/png)
image-20231218-202034.png (image/png)
image-20231218-202131.png (image/png)
image-20231218-202350.png (image/png)
image-20231218-202544.png (image/png)
image-20231218-202644.png (image/png)
image-20240104-143829.png (image/png)
image-20240104-143851.png (image/png)
image-20240104-143920.png (image/png)
image-20240104-143924.png (image/png)
image-20240104-143930.png (image/png)
image-20240301-131616.png (image/png)
image-20240301-131705.png (image/png)
image-20240301-131741.png (image/png)
image-20240301-141319.png (image/png)
image-20240301-143214.png (image/png)
image-20240301-143412.png (image/png)
image-20240301-143716.png (image/png)
image-20240301-143806.png (image/png)
image-20240301-145438.png (image/png)
image-20240301-145941.png (image/png)
image-20240301-151057.png (image/png)
image-20240301-151546.png (image/png)
image-20240301-151800.png (image/png)
image-20240301-151948.png (image/png)
image-20240301-152225.png (image/png)
image-20240301-152255.png (image/png)
image-20240301-152516.png (image/png)
image-20240301-153311.png (image/png)
image-20240301-153314.png (image/png)