Authentication in IFS Cloud

Last updated 3 years ago

Was this helpful?

In IFS Cloud, user authentication is handled through . To access the IFS OData API's, the IFS OData connector needs to retrieve an access token from IFS IAM. IFS IAM supports the OpenID Connect specification and also provides the ability to optionally delegate the authentication to an external Identity Provider.

There are several ways we can retrieve an access token in IFS Cloud and the IFS OData connector supports all of them.

Non-interactive authentication

In non-interactive authentication, there is no graphical client involved in the authentication flow and the access token is obtained through a single call by invoking the token endpoint in IFS IAM. Non-interactive authentication can be further divided into 3 sub-types depending on the nature and specific needs of the integration scenario.

Client Credentials Flow - uses service accounts instead of end-user accounts.
Password Credentials Flow - uses end-user account where the end-user credentials are stored/provided by the flow client.
Basic Authentication - Not recommended and should be only used only if other auth flows are not possible.

Interactive authentication

In Interactive authentication, the access token is obtained in two steps. First, the authorization endpoint in IFS IAM is invoked which would render the Aurena log-in page. Once the user enters the end-user credentials on the log-in page then the token endpoint is invoked which will return the access token. Interactive authentication can be further divided into 2 sub-types depending on who acts as the identity provider.

Authorization Code Flow - IFS IAM acts as the identity provider.
External IDP’s (single sign-on)- any external identity provider who supports OpenID Connect specification. Example - Azure AD, Okta

Custom Client Registration

In order to retrieve an access token from IFS IAM, we need to register a custom client in IAM. Depending on the type of authentication we'll have to create different custom client registrations. Custom clients can be registered in IFS Cloud via Solution Manager > Security > Identity and Access Manager > IAM Client Details page. For more info refer to the IFS Cloud documentation .

To register a custom client in IFS Cloud,

Navigate to Solution Manager > Security > Identity and Access Manager > IAM Client Details page
Click on the plus icon and fill in the information in the resulting dialog
- Enter a Client ID and optional description
- Enabled checkbox set to true
For Client Credentials flow
- Service Accounts and Direct Access Grants checkboxes set to true
- Select an existing service user for the Username field in User Group section

For Password Credentials flow
- Service Accounts checkbox set to false
- Direct Access Grants checkbox set to true

For Authorization Code Flow
- Service Account and Direct Access Grants checkboxes set to false
- Redirect Uri is set to ncflow://authenticate

At the moment Authorization Code Flow is only supported in Flow mobile client hence the redirect uri is set to ncflow://authenticate.

Once saved the Client Secret will be generated and we will use the Client ID & Secret in connector configuration.

Last updated 3 years ago

Was this helpful?

There are several ways we can retrieve an access token in IFS Cloud and the IFS OData connector supports all of them.

Non-interactive authentication

Client Credentials Flow - uses service accounts instead of end-user accounts.
Password Credentials Flow - uses end-user account where the end-user credentials are stored/provided by the flow client.
Basic Authentication - Not recommended and should be only used only if other auth flows are not possible.

Interactive authentication

Authorization Code Flow - IFS IAM acts as the identity provider.
External IDP’s (single sign-on)- any external identity provider who supports OpenID Connect specification. Example - Azure AD, Okta

Custom Client Registration

To register a custom client in IFS Cloud,

Navigate to Solution Manager > Security > Identity and Access Manager > IAM Client Details page
Click on the plus icon and fill in the information in the resulting dialog
- Enter a Client ID and optional description
- Enabled checkbox set to true
For Client Credentials flow
- Service Accounts and Direct Access Grants checkboxes set to true
- Select an existing service user for the Username field in User Group section

For Password Credentials flow
- Service Accounts checkbox set to false
- Direct Access Grants checkbox set to true

For Authorization Code Flow
- Service Account and Direct Access Grants checkboxes set to false
- Redirect Uri is set to ncflow://authenticate

At the moment Authorization Code Flow is only supported in Flow mobile client hence the redirect uri is set to ncflow://authenticate.

Once saved the Client Secret will be generated and we will use the Client ID & Secret in connector configuration.