Hi!We’d like to be able to access data from the Projections REST API with maintained end user authorization from a third-party web application with it’s own backend REST API, preferably with AzureAD as our primary SSO IDP. We have configured an IAM Identity provider in IFS cloud.The problem is that tokens issued by the AzureAD is not accepted by IFS Cloud/Keycloak, and we can’t find a way to do “token-exchange” or get a token for the user “on-behalf-of” via a confidential IAM Client. Those features seems to be disabled in keycloak.(We can authenticate directly towards IFS Cloud/keycloak and get a token for accessing the projections but in our use-case, this would require two logins, one to Azure, and one to IFS Cloud)Is there any way we can use AzureAD as our primary IDP, and use that access token to query projections with maintained end-user permissions?

IFS Cloud projections API / AzureAD SSO

Page 1 / 1

Hi @Mikael Nilsson

If your IFS is setup with same AzureAD, then you could create a public IAM client and then you could use the same authentication for your API call. Is that what you want to achieve?

/Damith

I want to be able to use the authentication from the same (AzureAD) IDP that i set up as external IAM Identity provider directly without having to prompt the end-user to authenticate for the public client (keycloak).

Something like token-exchange, on-behalf-of or worst case CIBA would kind of resolve my requirements, but none of these flows seems to be active/enabled in keycloak out-of-the-box, and since this is supposed to be SaaS, we’d prefer minimal requirements for custom configuration on the customers IFS/Keycloak.

EDIT: Or use a confidential client from our back-end API to the projections API, but with impersonation of the actual end user to maintain user permissions and identity, if that is in any way possible?

Hi @Mikael Nilsson

If you are using the browser based authentication, then it should be able to authenticate instead of going to the login page again?

I also noticed that IFS sets some cookies with the response to authorization end point.

Keycloak cookies : KEYCLOAK_SESSION,Oauth_token_request_state, KEYCLOAK_IDENTITY - Stack Overflow

maybe you could use them to make the SSO working?

Confidential client from backend-API: then it will be authenticated as service user attached to the IAM client and I’m not sure if any impersonation is possible with this scenario.

I’m also pretty much interested in this topic and please keep posted with your findings :)

Cheers!

Damith

Hi @Mikael Nilsson,

We’re in the same situation as you and I’m very interested in knowing if you’ve been able to achieve this, and if yes, how ?

Hi

Unfortunately not. Your only option is to aquire an accesstoken from IFS Cloud internal IDP (Keycloak) and use that to access the api.

The external “IAM Identity Providers” will only allow end-users to log in to IFS Web interface.

Token exchange is not enabled in the keycloak implementation as far as i know. So you can’t use an an accesstoken from the external IDP directly or use it to aquire a token from keycloak. Which means you have to manage two separate authentications for each user if you need both. For example MS Graph and IFS odata.

Hi !

Thanks for your answer, I see where you’re going.

I opened a new topic, quite similar to yours, as yours had no answer 2 years now and the answer I got seems to work and answer to your interrogation as well, if you want to have a look :

SSO identification on IFS Cloud API | IFS Community

Yes, that post describes how to authenticate through IFS/Keycloak using the external IDP.
Depending on your needs this might be enough.

But… if your application also needs, for example, access to MS Graph or any Azure resource on behalf of your end-user you still have to aquire another access token from Entra directly.

Did you find what you're looking for? If not:

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded