Auth0 OpenID Configuration Example

This section provides an example of the configuration needed for using an OpenID Connect account from an Identity Provider (SiemensID, Google, and so on) via the Auth0 Identity Access Management platform (IAM).

Information

The configuration instructions for the Auth0 platform are provided for your convenience, but they are beyond our control and may change before we can update this section.
Note that other IAM platforms can be used (see Supported Identity and Access Management Platforms). For specific instructions, see to the IAM platform web site and documentation.

Auth0 Configuration Settings

To configure the Desigo CC authorization application on Auth0, proceed as follows:

If you do not already have an account, register and create an account on Auth0,.
Follow instructions at https://auth0.com/.

Create an Auth0 Application.

Select Create Application.

Enter the Name of the Application, for example Management Station Authorization Service.

Choose the application type: select Single Page Web Application.

Select Create.

On the left-hand side, in the navigation pane, expand Applications and select Applications.

In the Applications page, select the newly created application.

The application page displays, with the Settings tab selected.

(Optional) In Basic Information, configure the Description.

Further down in the page, in Application URLs, configure the following:

Allowed Callback URLs: This field is used by Auth0 to redirect user to a page after successful authentication by Identity Provider.
It is mandatory to register application’s URL under Allowed Callback URLs for successful OpenID authentication, as Auth0 uses this for white listing the incoming authentication requests. Any changes in the host application URL (e.g. domain, port, application name etc.) needs to be aligned with this as well.
Enter the Flex Client login page URL here, for example:
https://{domain name}:444/FlexApp/#/loginpage.htm

Allowed Logout URLs: This field is used by Auth0 to redirect user to a page after successful logout from identity provider.
It is mandatory to register application’s URL under Allowed Logout URLs for successful OpenID authentication, as Auth0 uses this for white listing the incoming authentication requests. Any changes in the host application URL (e.g. domain, port, application name etc.) needs to be aligned with this as well.
Enter the Flex Client login page URL here, for example:
https://{domain name}:444/FlexApp/#/loginpage.htm

Select the Connections tab and enable the connections you want to use:

Social connections. For example, Gmail, LinkedIn, and so on. Follow instructions in Auth0.

Organization specific connection. Create a social connection and follow up with the team in the organization that handles IAM. For example, Siemens ID.
NOTE: For details on how to register a connection on Siemens ID see: https://wiki.siemens.com/display/en/Siemens+ID+-+The+Identity+as+a+Service+of+Siemens

Desigo CC Configuration Guidelines

In Desigo CC, you have to configure the OpenID user account. This section provides general guidelines related to the Auth0 configuration.
For more details, see Create a New Local OpenID User for Flex Client.

System Manager is in Engineering mode.

System Browser is in Management View.

Select System Settings > Users.

Create an OpenID account user and assign it to a group for authorization rights.
Username for OpenID user should be the e-mail address of the user.

In the Identity Provider tab, configure the following:

Domain: In the application created on the Auth0 identity provider, select the Settings tab and copy the Domain value. Paste this value in this Domain field.

ID Service Domain: Keep the same value as Domain. Some Identity Providers have a different ID Server domain. In this case, provide the specific ID server domain here.
This value is used during the logout workflow.

Client Id: In the application created on the Auth0 identity provider, select the Settings tab and copy the Client ID value. Paste this value in this Client ID field.

Client Secret: In the application created on the Auth0 identity provider, select the Settings tab and copy the Client Secret value. Paste this value in this Client Secret field.

OpenID Connection Name: In the application created on the Auth0 identity provider, select the Connections tab and copy the connection name. Paste this value in this OpenID Connection Name field.
Whenever users log into Desigo CC using OpenID user account, this connection is used as a default connection and users will be navigated directly to the Authentication page of the connection.
For example, google-oauth2, LinkedIn, and so on. This is an optional parameter. If no value is provided, users need to perform one additional step and select the appropriate connection to authenticate from Auth0 default logon page.

For more information about the Identity Provider tab, see OpenID Connect for Flex Client Authentication. — For more information about the Identity Provider tab, see OpenID Configuration as Identity Provider.

Desigo CC Logon Using the OpenID User Account

Enter the Flex Client URL in the browser.

In the Username field, enter the OpenID user account name, typically an e-mail id, then select Next.

Depending on the connection used, Desigo CC navigates you to the authentication page of the Identity Provider.
NOTE: In case you have already been authenticated by the Identity Provider on that host, the authentication step is skipped.
In this case, the Desigo CC server and the Identity Provider exchange tokens and provide access.
This scenario is also known as Single Sign-On (SSO).

Logon into the Identity Provider.

You are logged into Desigo CC depending on the authentication results.

Desigo CC Logoff

When you logoff, you are logged out from Desigo CC, Auth0 and Identity Provider.
NOTE: We recommend to clear history and cache in the browser and close the instance of browser after you logoff from the Flex Client.