Configuring Metric Insights to Use OpenID Connect

Metric Insights is compatible with OpenID authentication. This article describes required steps that an Administrator must perform to configure Metric Insights for use with OpenID connect.

In this article, Microsoft Azure will be used as an example Identity Provider.

1. Register an App in the Identity Provider Account

1.1. Start a New App Registration

  1. Open Azure Portal and log into account
  2. Access App registrations tab
  3. [+ New registration] to register an application

1.2. Complete the Registration

  1. Name: Give the application a descriptive name
  2. Supported account types: Select an "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option
  3. Redirect URI: In the left dropdown menu choose "Web" option and type into the right field type the redirection URI in the following format: https://<metric insights hostname>/simplesaml/module.php/authoauth2/linkback.php
  4. [Register]
  5. For further steps copy the following IDs:
    • Application (client) ID
    • Directory (tenant) ID

1.3. Generate Secret ID

Access Certificates & secrets section

  1. [+New client secret]
  2. Description: Enter Secret ID's description
  3. Expires: Select the period, after which the secret expires
  4.  [Add]
  5. Copy and save the Value

2. Configure Metric Insights from SSH Terminal (PuTTY)

Open a terminal using SSH or PuTTY and access the Metric Insights instance

The next steps:

  1. Enter the web docker container (for simple installation use mi-console)
  2. Change directory to /opt/mi/external_config ( cd /opt/mi/external_config)
  3. Make copy of the current saml.php (cp saml.php saml.php.orig)
  4. Open saml.php (vi saml.php), paste the following content and update appropriate values regarding OpenID configuration:

OpenID Connect v1 example:

<?php  define('SAML_ADMIN_PASSWORD', '********');  
define('SAML_SIGNING_KEY', '/opt/mi/ssl/server.key');  
define('SAML_SIGNING_CERT', '/opt/mi/ssl/server.crt');  
define('SAML_SIGN', FALSE); define('SAML_ENCRYPT', FALSE); 
define('SAML_AUTH_SOURCE', 'openidconnect'); 
define('SAML_URL_ISSUER','https://sts.windows.net/<TENANT ID>/'); 
define('SAML_CLIENT_ID','<CLIENT ID>');  define('SAML_CLIENT_SECRET','<SECRET ID>');
define('SAML_DISCOVERY_URL','https://login.microsoftonline.com/<TENANT ID>/v2.0/.well-known/openid-configuration'); 
define('SAML_UID_FIELD', 'name'); 
define('SAML_EMAIL_FIELD', 'unique_name'); 
define('SAML_FNAME_FIELD', 'given_name'); 
define('SAML_LNAME_FIELD', 'family_name');

OpenID Connect v2 example:

<?php  define('SAML_ADMIN_PASSWORD', '********');  
define('SAML_SIGNING_KEY', '/opt/mi/ssl/server.key');  
define('SAML_SIGNING_CERT', '/opt/mi/ssl/server.crt');  
define('SAML_SIGN', FALSE); define('SAML_ENCRYPT', FALSE);   
define('SAML_AUTH_SOURCE', 'openidconnect'); 
define('SAML_URL_ISSUER','https://login.microsoftonline.com/<tenant id>/v2.0'); 
define('SAML_CLIENT_ID','<CLIENT ID>'); 
define('SAML_CLIENT_SECRET','<SECRET ID>'); 
define('SAML_DISCOVERY_URL','https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'); 
define('SAML_UID_FIELD', 'name'); 
define('SAML_EMAIL_FIELD', 'id_token.preferred_username'); 
define('SAML_FNAME_FIELD', 'given_name'); 
define('SAML_LNAME_FIELD', 'family_name');

Replace <TENANT ID> with the Directory (tenant) ID, <CLIENT ID> with the Application (client) ID and <SECRET ID> with Secret ID Value gathered in the Identity Provider's account.

NOTE: In this example we use Microsoft Azure, but other Identity Providers will provide different  SAML_URL_ISSUER and SAML_DISCOVERY_URL.  Your specific fields –  SAML_UID_FIELD, SAML_EMAIL_FIELD, SAML_FNAME_FIELD,  SAML_LNAME_FIELD, etc. – can also be different.

3. Enable SAML in Metric Insights

Access Admin > System > System Variables

  1. Find the SAML Variables
  2. Click the gear icon in the SAML_ENABLE Variable row
  3. Assigned value: Select "Y"
  4. [Save]
  5. [Commit Changes]