OpenID Connect

FastClose Server supports the OpenID Connect (OIDC) protocol which utilizes OAuth 2.0. If your company uses an external Identity Provider (IDP) such as Microsoft, Google or Okta, then FastClose can also use that IDP to authenticate users.

OIDC Information

FastClose Server uses OIDC just to authenticate users. The FastClose server matches a user based on what is in the the username field. It is matched to the value found in the email claim.

The OIDC flow used is the Authorization Code flow. Response Type requested is code and the scopes should include openid.

Examples of IDP's are:

Enable OIDC Authentication

On FastClose Server Admin site: Click SystemSetup and scroll to the Server Authentication section.

Select External OIDC Provider from the dropdown.

You may visit the Password Override page if you cannot login using SSO Authentication during configuration and setup of new users.

Configure OIDC Authentication

Fill in the following information which will be available from the OIDC Application you created in your IDP.

Authority: Enter the authority URL of your application that provides the OIDC Application. For example, if your well-known endpoint is https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration then your authority would be

https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/

Client ID: The application or client ID of your application.

Client secret: The client secret from your application. This setting is likely required for most IDP's.

Scopes: The OIDC Scopes that are required to access the desired Email Claim. Enter openid email. The openid value is mandatory. The email value is optional; it ensures that the user's email address is automatically available if the username is not the users email address. You can add extra scopes if required here.

Email claim: The name of the Claim to use that holds the users email address (or username). Usually just email . The FastClose server matches the username field to the value in the email claim.

Redirect URL: This value is the Redirect URI that will be used and should be added to your OIDC Provider for your application. It is the external URL (i.e. callback URL) that the IDP will call when returning to FastClose Server after authentication.

Example

Here is an example configuration based on Microsoft Entra ID.

2c83fe04-653d-44a6-9c9c-ea5eed3f37cb

Configuring Microsoft Entra

Below are the example steps required to create an OIDC application in Microsoft Entra ID and configure FastClose Server to use the created application.

Step 1 - Create the Application

Visit Microsoft Entra Admin centre (Microsoft Entra admin center) and select the Enterprise Applications.

9ba76728-5d74-4b8d-bf38-4f4372e92218

Click New application and select Create your own application

5db99030-bec7-4fa9-9663-68a593050511

Choose a name for your app and select Register an app to integrate with Microsoft Entra ID.

0efb74f2-4c0f-458e-a1d9-5edd9b555658

Select Accounts in this organizational directory only and skip the Redirect URI for now.

Click Register.

Select your registered App from the Enterprise Applications page and choose Single sign-on from the menu.

Select go to application.

2ed4b1b4-468c-42a6-81de-b620ee7050c3

Note your Client ID as well as your Tenant ID.

Click Endpoints to see your OIDC application endpoints.

aa2f1f19-916a-4f4a-90dd-a998e6fe53e2

Step 2 - Configure the Client Secret and API Permissions

Select App Registrations from the Entra menu. Select All applications. Click on your registered App.

Select Certificate and Secrets from the menu.

Select New client secret

21435d0c-28f1-4c7e-9cb1-8d1478f01e90

Save the Client Secret Value to a notepad for use later on.

Select API Permissions from the menu.

Update or add to the Microsoft Graph permissions.

You will need to add the permissions: User.Read, email, and openid.

5893682b-b711-4ec4-b531-79ca27104a47

Step 3 - Configure FastClose Server

Visit your FastClose server usually located on port 5101.

Select System → Setup

Under Server Authentication select OIDC Provider and fill in the following information.

Authority: This will be https://login.microsoftonline.com/{Your-Tenant-ID}/v2.0

Client ID: This will be your Application ID

Client Secret: See previous section for value

Scopes: openid email

Email claim: email

Click Test Settings and expect a Success message.

b7db96f1-53ff-4572-b562-518865f3679c

Note down the Redirect URI and click Save.

Step 4 - Add the Redirect URI

In Microsoft Entra ID select your Registered App and click Authentication from the menu.

Click Add a Platform.

Select Web.

Enter the Redirect URI which can be obtained from the previous step.

Select ID tokens and click Configure.

30954c83-eb09-44ef-bfc4-a0ed351e5932

Step 5 - Sign In

Ensure you have a User account configured where the Username field matches the email address scope from Microsoft Entra.

53a1027e-5069-4c8e-a457-185604df92ca
FastClose Server

b149292a-ba9c-49e3-8c72-f0d0d16f08c7
Microsoft Entra Account

Visit the FastClose Server Admin site and ensure you are logged out. It may be preferable to test this in an Incognito browser window.

Select Sign In

a7a8a3ac-6557-41ad-ba2a-b28c94ef5e08

You should be forwarded to https://login.microsoftonline.com/ where you can login to your account.

42a325b6-2fec-40b8-917f-323842d9b303

Enter your credentials to sign in and you should be redirected back to the FastClose Server homepage where you will be signed in.

d9fa8f4f-e093-466d-b805-ca810b42262a