Nexeed

Multitenant Access Control
    • Developer documentation
      • Concepts
        • Authentication
        • Authorization
        • Resources
        • Roles
        • Sharing
      • Getting started
        • Registration
        • Authentication
        • Authorization
        • Multitenancy
      • How-to
        • Get & handle tokens
        • OAuth 2.0 for Mobile and Native Apps
        • Evolve authorization in your application lifecycle
        • Use Web Core for user login
        • Handle our integration events
        • Do automated testing
        • Advertise things to colleagues
      • Deep dives
        • OAuth2 and its flows
        • OpenID Connect endpoints
      • Troubleshooting
Multitenant Access Control
  • Industrial Application System
  • Core Services
    • Block Management
    • Deviation Processor
    • ID Builder
    • Multitenant Access Control
    • Notification Service
    • Reporting Management
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • Global Production Overview
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Product Setup Management
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
    • Order Management
    • Packaging Control
    • Rework Control
  • Intralogistics
    • AGV Control Center
    • Stock Management
    • Transport Management
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
    • Maintenance Management
    • Tool Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • Data Publisher
    • Direct Data Link
    • Engineering UI
    • ERP Connectivity
    • Gateway
    • Information Router
    • Master Data Management
    • Orchestrator
Nexeed Learning Portal
  • Multitenant Access Control
  • Identity providers
✎

Identity providers

Identity providers act as a central system that users can log into and in which the identity of the users is stored. When you log into the identity provider, the user’s identity is verified. An identity provider can be connected to multiple IT systems. The identity provider allows users to log into multiple IT systems in parallel using their own identities and to authenticate themselves using these specific identities (single sign-on).

If an identity provider is used, users no longer require a local user account for the respective IT system that they want to log into. The user’s access permissions (authorization) are assigned in the same way for local user accounts and through the user identities integrated into the identity provider ( Assigning a User to a Role ).

After selecting an identity provider in the overview of the Access management > Identity provider menu, the identity provider data is displayed in the detailed view on the right. In this view, you can edit details and manage assigned roles.

mac_identity provider overview

Header

Icon/element Description

Display Order

Specifies the order in which the existing identity providers are displayed upon login.

settings

Change settings.

Identity provider entry

switch-checked

Enable Identity Provider

When enabled, the identity provider is displayed on the login screen.

Disable Identity Provider

When disabled, the identity provider no longer appears on the login screen.

Add Identity Provider

When setting up applications in Microsoft Entra ID, approval may be required due to operator-specific IT guidelines.

Prerequisite

Identity Provider Manager role

Procedure

  1. Call up the Access management > Identity provider menu.

  2. In the list of identity providers, add a new identity provider with add_border.

    The Add Identity Provider dialog appears with the Add or Import step.

    The following figures show the respective sub-areas of the dialog window.
    mac_identity providerident_add idp_1

    The Alias is defined when the identity provider is created and can then no longer be changed.

    The Redirect URL is generated for the identity provider integration and cannot be changed. It has to be configured at the external identity provider to make the login flow work.

  3. In the Name text field, enter the display name for the identity provider.

    The display name is displayed on the login page.

  4. In the Display Order field, enter the position at which the identity provider is to be displayed on the login page.

    The smaller the number, the higher the identity provider is displayed in the list on the login page (1 = position 1).

    mac_identity providerident_add idp_2

  5. If a well-known endpoint is known for the application, activate the Use Discovery Endpoint function with switch-checked to import the required information.

    If a Discovery Endpoint is used, the following fields are filled out automatically.

  6. In the Authorization URL field, enter the URL to be used for identifying the organization and the user.

    The Authorization URL is provided by the identity provider. Upon login to Nexeed Industrial Application System, it forwards the user to the identity provider for authentication and authorization. The Authorization URL confirms the identity of the user and grants the necessary permissions to access Nexeed Industrial Application System.

  7. In the Token URL field, enter the URL for token-based authentication.

    The Token URL is provided by the identity provider. It connects the identity provider to Nexeed Industrial Application System and enables the transfer of authentication and authorization data in the form of access tokens. When a user logs in, Nexeed Industrial Application System sends a request to the identity provider to obtain an access token.

  8. In the Logout URL field, enter the URL to log out of the identity provider and Nexeed Industrial Application System.

    The Logout URL is provided by the identity provider. It forwards the user to the identity provider when logging out of Nexeed Industrial Application System. The identity provider performs the logout process and deletes the user’s authentication information.

  9. In the User Info URL field, enter a URL that provides additional user information.

    The User Info URL is provided by the identity provider. It is used to retrieve additional information about the user (e.g. name and email address).

  10. In the Publisher field, enter a URL that identifies the identity provider.

    The URL of the Publisher is provided by the identity provider. This URL uniquely identifies the identity provider as the publisher of the access token and validates it during the login process. This ensures that the access token originates from the identity provider.

  11. Use switch-checked to enable or disable validation of the signatures.

    The Validate Signatures function validates the signature of the access token from the identity provider. This ensures that the token has not been manipulated and that it comes from a trusted publisher.

  12. Use switch-checked to set whether a JWKS URL is to be used.

    The Use JWKS URL function stores the public keys used to validate JSON web tokens. The JWKS URL is a URL that points to a JSON file containing the public keys. The identity provider uses the JWKS URL to obtain the public key and validate the access token.

  13. If the JWKS URL function is activated, enter the URL in the JWKS URL field.

  14. Use switch-checked to set whether the Use PKCE function is to be used.

    The PKCE function is an extension of the authorization protocol OAuth 2.0. It is used to ensure that the authorization code is only used by Nexeed Industrial Application System.

    mac_identity providerident_add idp_3

  15. Select the authentication type from the Client Authentication drop-down list:

    • Client Secret Sent via Basic Auth

      The client secret is a secret key provided by the identity provider. The client secret is sent as part of the authorization header from the client (Nexeed Industrial Application System) to the identity provider for authentication. Sending the client secret to the identity provider as an authorization header prevents the client secret from being visible in the URL string or in other parts of the request.

    • Client Secret Sent via POST (default value when creating an identity provider)

      The client secret is sent as a POST body from the client (Nexeed Industrial Application System) to the identity provider for authentication. Sending the client secret to the identity provider as a POST body prevents the client secret from being visible in the URL string or other parts of the request.

    • Client Secret as JWT

      The client secret is sent to the identity provider as a JSON Web Token (JWT). A JWT is a JSON object that contains a digital signature and is used to transfer information between the sender and the recipient. Sending the client secret to the identity provider as a JWT prevents the client secret from being visible in the URL string or in other parts of the request.

    • JWT Signed with Private Key

      Similar to Client Secret as JWT. With this function, the JSON Web Token (JWT) is additionally signed with a private key. Signing the JWT with a private key ensures that the JWT has not been manipulated and that it comes from the sender who signed it.

  16. Enter Client ID.

    The Client ID is provided by the identity provider. The Client ID identifies the client. After logging in, the client is authorized to access protected resources.

  17. Enter Client Secret.

    The Client Secret is a secret password provided by the identity provider. The Client Secret ensures that only authorized and authenticated applications can access protected resources.

  18. Click Next.

    The Configuration step appears.

    mac_identity providerident_add idp_4

  19. Use switch-checked to select whether a Backchannel Logout is to be used.

    The Backchannel Logout function allows the user to simultaneously log out of all services connected to the identity provider (single logout).

  20. Use switch-checked to select whether the Switch Off User Info function is to be used.

    If this function is disabled, additional information about the user (such as name and email address) can be transmitted.

  21. In the Scopes field, enter the Open ID scopes, separated by spaces, for authorization. Default value when creating an identity provider: openid email profile

    Scopes define which information a client (Nexeed Industrial Application System) can retrieve from an identity provider. Scopes ensure that only authorized clients with the necessary permissions can access this information.

  22. Enter Transferred Query Parameters.

    This function allows you to forward additional parameters to the identity provider. These parameters can be used to perform authentication or to obtain additional information about the user.

  23. Select the Procedure for First Login from the drop-down list. Default value when creating an identity provider: first broker login autolink

    This function determines the procedure upon first login with the identity provider. The term "First Login" means that no account is associated with the identity.

  24. In the Synchronization Mode drop-down list, specify how the user information is to be synchronized between the identity provider and other systems:

    • Import (default value when creating an identity provider)

      The user information is synchronized once when a user logs in for the first time.

    • Legacy

      Use current settings.

    • Force

      The user information is synchronized upon every login.

  25. Click Save.

The settings are applied.

Example of an identity provider configuration for Microsoft Entra ID

The following example shows the configuration of an identity provider with Microsoft Entra ID. The illustrations of Microsoft Entra ID correspond to the software version when this user guide was created.

Prerequisite

Identity Provider Manager and Group Mapper Manager role

Procedure

  1. Open external software Microsoft Azure.

  2. Click on Microsoft Entra ID 1.

    mac oidc azure ad identity prov 1

    The Azure Active Directory overview is displayed.

  3. In the selection list + Add 1 , click on App Registration Image number 2.

    A new application is created and opened.

    mac oidc azure ad identity prov 2

  4. Enter the Display name 1 and select Supported account types Image number 2.

    mac oidc azure ad identity prov 3

  5. Click on Register.

  6. In the Certificates & secrets 1 area, click + New secret client Image number 2.

    mac oidc azure ad identity prov 4

  7. Define the Description Image number 3 and period of validity Image number 4.

  8. Click Add Image number 5.

  9. Copy the value 1 of the client secret key and save it locally on the computer.

    The client secret key can only be copied once at this time. Subsequent copying is no longer possible.

    mac oidc azure ad identity prov 5

  10. In the Token Configuration 1 area, click on + Add Optional Claim Image number 2.

    mac oidc azure ad identity prov 6

  11. Select the token type Image number 3.

  12. If the user info endpoint does not meet the requirements: select family_name and given_name Image number 4.

  13. Select login_hint to avoid problems during logout due to excessively large tokens.

  14. Click Add Image number 5.

  15. Note: Ignore Add optional claim while saving and click on Add.

    OpenID Connect is configured by default with Multitenant Access Control.
    mac oidc azure ad identity prov 7

  16. Switch to the Overview 1 area.

    mac oidc azure ad identity prov 8

  17. Copy the Application ID (Client) Image number 2 and save it locally on the computer.

  18. Switch to the End points Image number 3 tab.

  19. Copy the OpenID Connect Metadata Document Image number 4 and save it locally on the computer.

  20. In the Multitenant Access Control module, call up the Access management > Identity provider menu.

  21. Add the identity provider ( Add Identity Provider ).

  22. Enter Alias and Name.

    mac oidc azure ad identity prov 9a

  23. Based on the given alias, the field Redirect URL will be populated. Copy the value and configure it at the application in Microsoft Azure for the application’s Authentication on the Web platform.

    mac oid cazure ad identity prov redirectUrl path
    mac oid cazure ad identity prov redirectUrl form

  24. Go back to Multitenant Access Control and activate the Use Discovery End Point switch.

    mac_identity providerident_use discovery endpoint

  25. In the Discovery Endpoint text field, insert the previously copied OpenID Connect metadata document.

  26. In the selection list Client Authentication: Select Client Secret via POST sent.

    mac_identity providerident_add idp_3

  27. In the Client ID field, insert the previously copied Application ID (Client).

  28. In the Client Secret field, insert the previously saved client secret key value.

  29. To add groups to a token, in the Token configuration area click on 1 + Add group claim Image number 2.

    mac oidc azure ad identity prov 10

  30. Set the group type for the group claim Image number 3.

    Select groups/roles that should be part of the tokens issued during login.

    The selection of Groups assigned to the application assumes that relevant groups are explicitly assigned to the application and the consequence of this is that the group hierarchy cannot be used.

    If the application is not subsequently given the necessary permissions for Microsoft Graph, do not add all existing groups to a token. Otherwise, once 200 or more groups are assigned to the user, they will not all be available.

    Do not add all existing groups to a token without configuring the login_hint claim. A large token with more than 10 kB can otherwise lead to problems during logout.

  31. Set token property Image number 4 (example: Group ID).

    You can send either the Group ID or SAML in a token. The extended entitlement to group assignment must be used accordingly.

  32. Click Add Image number 5.

  33. To assign application permissions to evaluate group membership and hierarchies, click on + Add a permission Image number 2 in the API permissions 1 area and then select the Microsoft Graph Image number 3 API under Microsoft APIs.

    Set application permissions in Entra ID

  34. Select Delegated Permissions Image number 4 User.Read and GroupMember.ReadAll and click on Add Permissions. It is recommended to grant administrator approval, otherwise a user will have to request this during the login process.

    User.Read permission is required for the API call "/me/transitiveMemberOf/microsoft.graph.group?$select=", for integration of organisation/group hierarchy in Multitenant Access Control.

    GroupMember.Read.All permission is required to read the groups via "/me/transitiveMemberOf/microsoft.graph.group?$select=" which the user is a (transitive) member of. This is also required for the integration of organisation/group hierarchy in Multitenant Access Control.

  35. To manage the application, click on the application in the overview 1.

    mac oidc azure ad identity prov 11

  36. When selecting Groups assigned to the application for the group claim:

    • in the Users and groups 1 area, click on + Add user/group Image number 2.

      mac oidc azure ad identity prov 12

    • Click on None selected 1.

      mac oidc azure ad identity prov 13

    • Search for group names Image number 2 and use checkboxes to Image number 3 assign the desired groups to the application.

    • Click Select Image number 4.

    • Click Assign 1.

      mac oidc azure ad identity prov 14

      The group is assigned to the application.

    • In the Users and groups area, click the newly assigned group 1.

      mac oidc azure ad identity prov 14b

  37. Search for the group and copy the Object ID of the group 1 to the clipboard (if tokens have been configured with samAccountName, use this instead).

    mac oidc azure ad identity prov 14c

  38. In the Multitenant Access Control module, open the Access Management > Identity Provider menu.

  39. Open Add Mapper and enter the previously copied Object ID of the group in the Claim Value text field.

    mac oidc azure ad identity prov 15

  40. Select Force Sync Mode from the drop-down list.

    This ensures that the claim is checked each time the token is logged in and the assignment to the mapped group is executed again and updated.

  41. Make sure that Claim Name groups is entered in the text field.

  42. Click Save.

All users assigned to the user group stored with the identity provider can log in to Nexeed Industrial Application Systems centrally via the identity provider.

Enable Identity Provider

Prerequisites

  • Identity Provider Manager role

  • The selected identity provider has been disabled.

Procedure

  1. Call up the Access management > Identity provider menu.

  2. Use switch-unchecked to enable the selected identity provider.

  3. In the dialog window, click Activate.

The identity provider is enabled and appears on the login screen.

Disable Identity Provider

Prerequisites

  • Identity Provider Manager role

  • The selected identity provider has been enabled.

Procedure

  1. Call up the Access management > Identity provider menu.

  2. Use switch-checked to disable the selected identity provider.

  3. In the dialog window, click Disable.

The identity provider is disabled and no longer appears on the login screen.

Edit Identity Provider

Prerequisite

Identity Provider Manager role

Procedure

  1. Call up the Access management > Identity provider menu.

  2. Click mdm_edit_icon for the identity provider to be changed.

    The Edit Identity Provider dialog appears.

  3. Make changes to the identity provider ( Add Identity Provider ).

  4. To save the changes, click Save.

The identity provider is changed.

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2025, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses