DocuWare supports the OpenID Connect (OIDC) standard for single sign-on (SSO). Read these guidelines for connecting DocuWare to an OIDC identity provider.
Most professional identity providers support OIDC. But as it is an open standard, the configuration will differ depending on the identity provider.
You will probably need to set up an application within your identity provider to connect it to DocuWare. For more information, contact your identity provider.
Connect to an identity provider with OPENID
Go to DocuWare Configurations > General > Security > Single Sign on.
The following screenshot shows the SSO configuration dialog. Find explanations underneath.
.png)
Configure single sign-on connection
Specify the connection between the identity provider and DocuWare in the section of the dialog Configure single sign-on connection.
DocuWare and the external identity provider communicate via URLs: DocuWare addresses the identity provider via the Issuer URL and receives information back via the Callback URL.
You will get the Client ID and the Client Secret Key from your identity provider.
Attributes mapping
To enable DocuWare users to authenticate through an external identity provider, each user must be uniquely identifiable in both systems. Consequently, DocuWare and the identity provider must share a common set of user attributes.
Terms for “attribute” may vary
The term “attributes” is not defined in the OIDC standard; your identity provider may instead refer to them as “claims,” “properties,” or something similar. Attribute names can also vary—for example, DocuWare’s “username” might appear as “userID” at the identity provider. Because of these differences, be sure to configure and test the mapping carefully.
Enable the option Automatically link existing users at login to ensure that attribute mapping works correctly. Disable it only if you are using DocuWare User Synchronization 2 in a non-standard setup.
Scopes
OIDC is built on OAuth 2.0. Select the OAuth 2.0 scopes that will supply the attributes DocuWare needs. In most cases the default scopes, openid and profile, are sufficient.
If you enable Additional claims provided by the UserInfo endpoint, DocuWare will also retrieve any attributes returned by that endpoint.
Using the UserInfo endpoint slows down the login process, so activate it only if the required attributes are not available through the profile or email scopes.
DocuWare uses the email address as the primary key for matching users with the identity provider. Ensure that every user has an email address in both systems. In your identity provider, an attribute (e.g., “email”) already holds this value.
Enter the exact name of that attribute here so DocuWare can retrieve the address and link the external user to the corresponding DocuWare user.
Username
Select the attribute that DocuWare should use as the username. This value must uniquely identify the user in the external directory and must exactly match the existing DocuWare username.
External ID
If your identity provider supplies a unique ID for every user, select the attribute that contains this value. A dedicated external ID speeds up the mapping process and increases security.
If no separate ID exists, choose any other attribute that is unique for each user—such as the e-mail address, username, or userID.
External Provider ID
Specify an identifier that is unique to the identity-provider instance itself. This is required only when you operate multiple instances of the same provider.
Test
Click the button Test to verify the SSO connection. Always run this test after you save any changes.
Enforcing single sign-on
Read more about enforcing single sign-on.