How to implement OpenID Authentication in the managed application?



Understanding basics of 1C:Enterprise platform. To start working with 1C:Enterprise platform visit Getting started page

#1
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hello,

In the design of 1C:Enterprise, there are two configurations for OpenID Authentication:
(1) Administration --> User
User is added with a check box "OpenID Authentication".

(2) Administration --> Publish to web server --> Additional pages
If only Provider address is provided, then there are many applications can connect to this provider. This causes the certain risks.

Could you show me which guide for using the OpenID Authentication or how to implement it in the managed applications?

Thank you very much for your support!
Cuong

 
#2
People who like this:0Yes/0No
Just came
Rating: 0
Joined: Oct 10, 2012
Company:

Hello, Nguyen Trung Cuong,

You can see OpenID implementation details in 1C:Enterprise. Administrator Guide

 
#3
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Sergey Polikarpov,

I perform the steps which are described in "1C:Enterprise. Administrator Guide" and can publish the application successfully.
The service provider path is included in the <openid><rely url="path_of_service_provider"/></openid>.

BUt, I don't see any differences when performing the login dialog to application from web browser.

Could you please give me an example about OpenID in 1C:Enterprise?


Thanks,
Cuong

 
#4
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Hello, Nguyen Trung Cuong.

You also need to use secure connection. Without SSL certificates Open ID authentication will not be enabled.

 
#5
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Sergey Polikarpov,

Thank you very much for your support!

I created the "OpenID" infobase and publish it. Then, I tried to use SSL connection, but the application screen on browser is clear.
Please have a look at the screenshot (attachment: OpenID.png).

What's my wrong configuration?


Thanks,
Cuong

 
#6
People who like this:0Yes/0No
Timofey Bugaevsky
Guest

Joined:
Company:

Nguyen Trung Cuong,

Your certificate is not valid, you can see it as a red cross on the lock icon on the left of the URL.

 
#7
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Sergey Polikarpov,

I viewed page source and get the error message that the application could not write the data to folder infobase.
Then, I re-created the application in another place on D: drive (without implementation except creating Role and adding new user which has OpenID property).

However, I could not get the link in the URL as the screenshot in the previous post message to you.
That means the OpenID is not active, I think so.

Please help me review my attached configuration in IIS.


Thank you,
Cuong

Edited: Nguyen Trung Cuong - Jan 12, 2016 03:22 AM
 
#8
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

Hello Cuong,

OpenID authentication implies that you have one infobase serving as an OpenID provider and any number of working infobases using this provider instead of asking users for login and password. So you store logins and passwords in OpenID provider infobase and tell working infobases to get credentials from the provider. Note that normally the OpenID provider infobase is NOT a working infobase. It's a separate infobase (and a separate IIS publication).

What is where is your case? OpenID IIS publication stands for OpenID provider infobase? Where are working infobases' publications then?

On the last screenshot, you try to connect to OpenID provider infobase with a browser. Why? You don't suppose to do that. You need to connect to a working infobase. It will ask all it needs from OpenID infobase.

 
#9
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Konstantin Rupasov,

Thank you very much for your useful information!

Let me explain the context:
I have some web applications, each application is written in a separate programing language. For example, Application 1 (.NET), Application 2 (PHP),..., and 1C managed application (1C:Enterprise).
It’s supposed that these applications are used in an organization which uses Microsoft Exchange Server. That means each person in the organization will have a MS Exchange e-mail account and the users who are using these applications should use ONLY one account (e-mail account) for login these applications.
It’s required that if there are 3 tabs on browser for running Application 1, Application 2, and 1C Application and I login successfully in one application – Application 1 (by using my e-mail account), then users can access the remaining Application 2 and 1C Application without login again.
According to my understandings, 1C:Enterprise supports the following authentication modes:
- 1C:Enterprise authentication,
- OS authentication, and
- OpenID authentication.
Then, I think there is a way for my case with OpenID authentication. Therefore my solution is using 3rd party authentication application. Then I built an IdentityServer that provides authentication services based on the sample at here. IdentityServer is a framework and a hostable component that allows implementing single sign-on (SSO) and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2. In order to authenticate via SSO each application is provided a ClientId and ClientSecret so that SSO can detects the accepted authenticated applications.
At present, Application 1 and Application 2 can authenticate successfully via SSO service by using MS exchange e-mail account. However it’s NOT successful with 1C managed application.
The followings are my settings on 1C managed application:
- SSO service URI is filled in “OpenID provider address” (without slash / at the end of URI based on Administration Guide).
- SSL is enable in IIS web server.
- Application is published successfully.

It’s my case! (I draw the model in attachment).
Could you please give me the solution or advices?

Thank you,
Cuong

Edited: Nguyen Trung Cuong - Jan 13, 2016 07:18 PM
 
#10
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

For my knowledge 1C:Enterprise working infobase can use the only type of OpenID provider - another 1C:Enterprise infobase, published as such. If I'm right, you cannot use SSO as an OpenID provider - you need to use the 1C:Enterprise infobase instead. Which leads us to the next question: how do we use 1C:Enterprise OpenID provider for .NET and PHP apps? I am not sure that it's even possible.

Please, give me some more time to delve into the issue. Maybe I will come up with some sort of solution for you.

 
#11
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Konstantin Rupasov,

Thank you very much for your support!
I am looking forward to your investigation!


Today I tried to create OpenID with 1C:Enterprise and I failed with that. Could you please help me?

There are two PCs:
(1) Windows Server 2008
On this PC, the infobase is created as OpenID providers - OpenID infobase:
- IIS is configured to enable SSL.
- The infobase is published successfully.
- One User is created as OpenID users with full granted permission.

(2) Windows 8.1 Enterprise
On this PC, the infobase is created as using OpenID authenticate - CallOpenID infobase:
- Infobase is published successfully with filled OpenID provider: https://serverIPaddress/OpenID/e1cib/oida
- Users can acccess the provider infobase via browser normally from URL: https://serverIPaddress/OpenID

However, when I run the CallOpenID via browser (Web client) (https://localhost/CallOpenID) and I cannot login with the OpenID users on Server (OpenID provider users).

Please have a look at the screenshot attachments for more details.
Could you please let me know which is wrong?

Additionally, in case that CallOpenID and OpenID has the same username, then what will happen when users login from Client with this username?

Thanks,
Cuong

 
#12
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

Hi Cuong,

Few comments:

1. What is "serveripaddress" and "server ID add"? You replaced the real IP with this for the forum only? Or these are real addresses you use?

2. What is "/e1cib/oida"? The correct address of an OpenID provider should be the following: "https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op"

3. After you publish the OpenID provider infobase, you should be able to download the oid2op file by going to this address with your browser. If the download doesn't start then something's wrong. Please check it. If the download works, please send me the oid2op file you downloaded.

 
#13
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

One more question, Cuong.

Why do you need OpenID at all? You could use Active Directory authentication with 1C infobase.

 
#14
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Konstantin Rupasov,

Thank you for your comments!

>1. What is "serveripaddress" and "server ID add"? You replaced the real IP with this for the forum only? Or these are real addresses you use?
“Server IP add” means the IIS site address.

>2. What is "/e1cib/oida"? The correct address of an OpenID provider should be the following: "https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op"
I filled this "/e1cib/oida" based on the guide on the page 167: “7.5 CONFIGURING OPENID AUTHENTICATION SUPPORT”in “1C:Enterprise 8.3. Administrator Guide” (Publication Number: 83.103.02).
Could you please confirm the content?

>3. After you publish the OpenID provider infobase, you should be able to download the oid2op file by going to this address with your browser. If the download doesn't start then something's wrong. Please check it. If the download works, please send me the oid2op file you downloaded.
Please have a look at the attachment file (oid2op.zip).

>Why do you need OpenID at all? You could use Active Directory authentication with 1C infobase.
Do you mean I should use OS Authentication instead of OpenID?
The reason is that the users need to use their email accounts to login 1C application. But their PC have not joined to the organization domain. Then users only can perform OS authentication with the local OS accounts (PC-Name\AccountName). I tried to fill to “User” of OS authentication \\domain\username, but nothing impacts.


Thanks,
Cuong

 
#15
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

2. I am pretty sure that the correct URL has to end with "/e1cib/oid2op". Please, try to use it and let me know if it works.

I don't know why it's read "oida" in the documentation. Looks like an error for me. I will figure it out and let you know.

3. Your attachment contains two screenshots. What I asked you to send me is not screenshots. I need an XML file, containing the description of your OpenID provider. To get this file you need to put "https://localhost/OpenID/e1cib/oid2op" in the browser.

Please, note that there is no "en_US" or "?cmd=init" in this string. Please, also note, that the correct URL ends with "oid2op" - not "oid2rp" as in the URL in your screenshot.

After you go to this link, a browser should ask you where you want to save the file. Specify the folder, download the file and sent it to me. If a browser doesn't ask you where to save the file, send me what exactly it shows after you go to the URL.

 
#16
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Konstantin Rupasov,

Please help me check the attached file.


Thanks,
Cuong

 
#17
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

Hi Cuong,

The file you sent me is not oid2op file. Could you, please, do the following steps for me?

1. Open your browser
2. Copy this link to the the browser's address line: https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op
3. Replace <IIS site address> with an actual name or IP address of the IIS WEB-server you have published OpenID provider infobase on.
4. Replace <OpenID provider IB> with an actual name of the OpenID provider infobase
5. Press Enter
6. If the address is correct "Download as" standard system dialogue will appear.
7. Select a directory to save the file. Do not change the file name.
8. Press OK
9. Go to the directory you've selected on step 7, find the file oid2op and send it to me.

If you experience any problem on any of those steps, please send me the following information:

  • What step were you on?
  • What exactly did you do?
  • What exactly did you see? Please make a screenshot and attach it to your message.

 
#18
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi Konstantin Rupasov,

Please help me check my steps for creating OpenID provider inforbase in the attached screenshots and the downloaded file (OpenIDProvider.zip).

NOTE: My environment is
- Windows Server 2012 R2 Data center
- 1C:Enterprise 8.3 (8.3.7.1790)
- Google Chrome Version 48.0.2564.109
- IIS version 8.5.9600.16384


Thanks,
Cuong

 
#19
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Aug 10, 2012
Company: N/A

Hi,

Anyone can help?


Thanks,
Cuong

 
#20
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

Hello Cuong,

In order for me to help you I need you to do exactly the following steps (same, as in my last comment):
1. Open your browser
2. Copy this link to the the browser's address line: https://<IIS site address>/<OpenID provider IB>/e1cib/oid2op
3. Replace <IIS site address> with an actual name or IP address of the IIS WEB-server you have published OpenID provider infobase on.
4. Replace <OpenID provider IB> with an actual name of the OpenID provider infobase
5. Press Enter
6. If the address is correct "Download as" standard system dialogue will appear.
7. Select a directory to save the file. Do not change the file name.
8. Press OK
9. Go to the directory you've selected on step 7, find the file oid2op and send it to me.

I don't need you to do anything else and I won't be able to help you until you do these steps.

Do you understand how to perform these steps? Can you perform these steps for me? Can you explain why you don't do what I'm asking?

Edited: Konstantin Rupasov - Mar 11, 2016 05:38 PM
 
#21
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Jul 19, 2016
Company:

Is it possible to use the same certificate both for Open ID Provider and the main database?

 
#22
People who like this:0Yes/0No
Active user
1C:Professional
Rating: 4
Joined: May 8, 2013
Company: 1C Company

Hi Alexey,

Not sure what certificate you are referring to. If we talk SSL certificates, than the answer depends on the certificate you've got. Every SSL certificate belongs to specific domain (like mysite.mydomain.ru or mydomain*). If both OpenID provider and the main databases are published within this domain than they will be using the same SSL certificate.

Does it answer you question?

 
#23
People who like this:0Yes/0No
Active user
Rating: 2
Joined: Jul 19, 2016
Company:

Quote
Not sure what certificate you are referring to.
I mean SSL certificate.

Quote
Does it answer you question?
Yes, thanks!

 
Subscribe