Configure Authentication for Genus Services
The new Genus authentication offers several ways to authenticate users, including third party identity providers like ID-Porten, BankID, etc. as well as Microsoft Entra ID, Genus Native and customer specific OAuth2 authentication. To use any of these identity providers one must register an app or authentication client with the desired identity providers and configure the authentication client correctly. Required information/setup for each provider include client ID, client secret and a callback URL which is generated and set up either by using their developer portals or by contacting the provider directly.
Genus supports the following identity providers:
- Active Directory Federation Services (a user for reading users is needed, contact the administrator)
- Microsoft Entra ID (formerly Azure Active Directory)
- ID-Porten
- BankID
- AnsattPorten
- Genus Native (username/password) (Forms Authentication)
- Custom OAuth2 authentication for customer specific authentication
The Active Directory identity providers requires in-house setup. The BankID and ID-porten providers require registration/approval/agreement to utilize in addition to more configuration settings than the other identity providers, for instance URLs for authentication and user information. These identity providers also have different settings for test and production environments.
After registering and configuring with the desired providers, the setup for the identity providers can be done in Genus Studio under the Security settings. Some settings are not editable for all the identity providers.
Add the desired providers by selecting the provider type, set the display name and the description, and select the color for the logon button. In the Config field, fill out the client ID, client secret, callback URL and other required information.
- For Microsoft Entra ID:
- azureAdResource should be "00000003-0000-0000-c000-000000000000", i.e. Microsoft Graph
- azureAdTenant is the tenant for Microsoft Entra ID, i.e. "contoso.onmicrosoft.com
- azureAdCallbackUrl should be "/-/auth/azuread/callback"
- For Active Directory FS:
- adfsIssuer should be an url to the ADFS-server, i.e "https://adfs.example.com/adfs
- adfsAuthUrl should be "https://adfs.example.com/adfs/oauth2/authorize/"
- adfsTokenUrl should be "https://adfs.example.com/adfs/oauth2/token/"
- adfsUserInfo should be "https://adfs.example.com/adfs/userinfo"
- adfsCallbackUrl should be "/-/auth/adfs/callback"
- For ID-Porten (see prod .well-known for production values and test .well-known for test values):
- idPortenIssuer should be "https://idporten.no"
- idPortenAuthUrl should be "https://login.idporten.no/authorize"
- idPortenTokenUrl should be "https://idporten.no/token"
- idPortenUserInfo should be "https://idporten.no/userinfo"
- idPortenAcrValues should be either "idporten-loa-substantial" or "idporten-loa-high". This indicates which security level should be used.
- idPortenCallbackUrl should be "/-/auth/idporten/callback"
- idPortenEndsessionUrl should be "https://login.idporten.no/logout"
- idPortenPostLogoutUrl where to send the user after they log out
- For BankID (see prod .well-known for production values and test .well-known for test values):
- bankIDIssuer should be "https://auth.current.bankid.no/auth/realms/current"
- bankIDAuthUrl should be "https://auth.bankid.no/auth/realms/prod/precheck/auth"
- bankIDTokenUrl should be "https://auth.bankid.no/auth/realms/prod/protocol/openid-connect/token"
- bankIDUserInfo should be "https://userinfo.bankid.no/userinfo"
- bankIDUserInfoIssuer should be "https://auth.current.bankid.no/auth/realms/current"
- bankIDCallbackUrl should be "/-/auth/bankid/callback"
- bankIDCertUrl should be "https://auth.bankid.no/auth/realms/prod/protocol/openid-connect/certs"
- For AnsattPorten (see prod .well-known for production values and test .well-known for test values):
- ansattPortenIssuer should be "https://ansattporten.no"
- ansattPortenAuthUrl should be "https://login.ansattporten.no/authorize"
- ansattPortenTokenUrl should be "https://ansattporten.no/token"
- ansattPortenUserInfo should be "https://ansattporten.no/userinfo"
- ansattPortenCallbackUrl should be "/-/auth/ansattporten/callback"
- ansattPortenAuthorizationDetails should be [{"type": "ansattporten:altinn:service", "resource": "urn:altinn:resource:1234"}] where "1234" indicates the correctly registered resource.
- Genus Native has no extra config-settings
- Custom requires creating a file by Genus experts.
Each provider can be enabled/disabled. Multiple instances of the same provider type, except Custom, is not supported.
Each provider can have two-factor authentication enabled, prompting the user to register Genus in an authenticator app.
Each user must be connected to the desired and enabled identityprovider with the correct Account Id from the identityprovider. Users can be automatically generated at first sign in with an identity provider. To enable this the identity provider must be connected with an Onboarding account profile which must have a connected Security group. The security group's privileges determines what the new user is able to do. Not all necessary user information is provided from the identity providers and may be required to be completed afterwards.
Azure AD supports guest accounts. To use this in Genus, the Token configuration for the authenticator app in the Azure Portal must include upn as an optional claim enabled for Externally authenticated and Replace hash marks. The Account Id for a guest user with mail@example.com as email, must be on the format mail_example.com_EXT\@genusas.onmicrosoft.com_ registered on the user's identityprovider connection.