OpenID Connect

FastClose Server supports the OpenID Connect (OIDC) protocol which utilizes OAuth 2.0. If your company uses an external Identity Provider (IDP), then FastClose can also use that to authenticate users.

Examples of IDP's are:

• Microsoft Entra ID (formerly Azure Active Directory)

• Okta Single Sign-On

• Google's OAuth 2.0

OIDC Information

FastClose Server uses OIDC just to authenticate users. The FastClose Server matches a user based on what is in the the username field of the FastClose user. It is matched to the value found in the email claim.

The OIDC flow used is the 'Authorization Code Flow'. The 'Response Type' requested is code and the scopes should include openid.

Enable OIDC Authentication

In the FastClose Server Admin web app, click 'System' then 'Setup' and scroll to the 'Server Authentication' section.

Select 'External OIDC Provider' from the dropdown to reveal the required configuration fields.

Configure OIDC Authentication

Fill in the following information which will be available from the OIDC Application you created in your IDP.

Authority: Enter the authority URL of your application that provides the OIDC Application. For example, if your well-known endpoint is https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration then your authority would be

https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/

Client ID: The application or client ID of your application.

Client secret: The client secret from your application. This setting is likely required for most IDPs.

Scopes: The OIDC Scopes that are required to access the desired Email Claim. Enter openid email. The openid value is mandatory. The email value is optional; it ensures that the user's email address is automatically available if the username is not the users email address. You can add extra scopes if required here.

Email claim: The name of the Claim to use that holds the users email address (or username). Usually just email . The FastClose Server matches the username field to the value in the email claim.

Redirect URL: This value is the Redirect URI that will be used and should be added to your OIDC Provider for your application. It is the external URL (i.e. callback URL) that the IDP will call when returning to FastClose Server after authentication.

Example

Here is an example configuration based on Microsoft Entra ID.

Configuring Microsoft Entra

Below are the example steps required to create an OIDC application in Microsoft Entra ID and configure FastClose Server to use the created application.

Step 1 - Create the Application

Visit Microsoft Entra Admin centre (Microsoft Entra admin center) and select the Enterprise Applications.

Click 'New application' and select 'Create your own application':

Choose a name for your app and select 'Register an app to integrate with Microsoft Entra ID'.

Select 'Accounts in this organizational directory only' and skip the Redirect URI for now.

Click 'Register'.

Select your registered app from the Enterprise Applications page and choose 'Single sign-on' from the menu.

Click 'Go to application'.

Note your Client ID as well as your Tenant ID.

Click 'Endpoints' to see your OIDC application endpoints.

Step 2 - Configure the Assignment and Users

Consider whether to enable Assignment for the App.

If enabled then you must manually add users/groups of your organization into the App before they can login to FastClose.

If not enabled then any user who can authenticate with your organization via Microsoft Entra could login to FastClose, if there is a matching user. There is no need to manually add users to the App.

To enable it, select 'Microsoft Entra' and select 'Enterprise Applications'. Select the recently created App, click 'Properties' and for 'Assignment Required' select 'Yes'.

From the left menu select 'Users and Groups'.

From here you can add individual users or groups of users who can access FastClose.

Step 3 - Configure the Client Secret and API Permissions

Select 'Microsoft Entra' and then 'Enterprise Applications'.

Select the recently created App.

Select 'Single Sign On' and click 'Go To Application'.

Select 'Certificate and Secrets' from the menu, then 'New client secret'.

Save the Client Secret Value to Notepad or similar, for use later on. It cannot be displayed again.

Select 'API Permissions' from the menu, then update or add to the 'Microsoft Graph' permissions.

You will need to add the permissions: User.Read, email, and openid.

Step 4 - Configure FastClose Server

In the Admin app, login as Administrator using the password, click 'System' then 'Setup' and scroll down to the 'Server Authentication' section. Select 'External OIDC Provider' and fill in the following information.

Authority: This will be https://login.microsoftonline.com/{Your-Tenant-ID}/v2.0

Client ID: This will be your Application ID

Client Secret: See previous section for value

Scopes: openid email

Email claim: email

Click 'Test Settings' and check for a success message.

Copy the Redirect URI to Notepad or similar and then click 'Save'.

Step 5 - Add the Redirect URI

In Microsoft Entra ID select your Registered App and click 'Authentication' from the menu.

Click 'Add a Platform'.

Select 'Web'.

Enter or paste the Redirect URI which you obtained from the previous step.

Select 'ID tokens' and click 'Configure'.

Step 6 - Sign In

Ensure you have a user account configured in FastClose where the Username field matches your email address from Microsoft Entra, and that the account is a member of the Administrators group.

Open an incognito or private browser window and visit the FastClose Server Admin web app.

Click 'Sign In'.

You should be forwarded to https://login.microsoftonline.com/ where you can login to your account.

Enter your credentials to sign in and you should be redirected back to the FastClose Server home page where you should now be signed in.

You can now close the incognito browser window, logout as Administrator, and login again as yourself.