Skip to main content

Setting Up OpenID Connect (Enterprise Only)

NavVis IVION uses OpenID Connect to provide a secure, reliable, and easy way to authenticate federate users. OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol and allows you to connect your authentication system to NavVis IVION via a single sign-on authorization provider like Keycloak. By delegating Authentication to OpenID Connect and using the OAuth 2.0 authorization protocol, NavVis IVION is able to support advanced authentication schemes and takes advantage of reliable and proven industry standards.

As a pre-requisite you need to set up an identity solution of your choice. For instructions on how to set up your identity solution, visit their respective documentation.
Follow these steps to set up OpenID Connect with an authorization provider of your choice:
Note: We are using Keycloak as an example here. You can set up OpenID Connect with an authorization provider of your choice.
  1. Install Keycloak.
  2. Create a new realm.
    1. In Keycloak, open the Master drop-down menu and click Add realm.
    2. Enter a name for the new realm and click Create.
  3. If you are setting up from scratch you need to create users.
    1. Go to the Users tab and click Add user.
    2. In the dialog that opens, enter the user information and click Save.
  4. Create an OpenID Connect client.
    1. Go to the Clients tab and click Create.
    2. You will be directed to this page:
    3. Enter the information required and click Save.
      The Client ID must not contain any spaces.
    4. Open the client page and enter your NavVis IVION instance host URL followed by an asterisk in the Valid Redirect URIs slot.
      OpenID Connect needs these URIs to successfully redirect you to your NavVis IVION instance when logging in.
  5. Configure NavVis IVION to use this client.
    1. Go to your NavVis IVION instance.
    2. On your instance dashboard, go to Instance Settings > OpenID Connect.
    3. Click Add new connection.
    4. In the dialog that opens, enter the required information.
      • The Issuer URL is the URL for your realm in Keycloak.

      • You can get the Client Secret from the Credentials tab from your Keycloak client page.

      • The Redirect URIs is usually your NavVis IVION URL.

        Note: Some authorization providers require a complete redirect URI, e.g.[instanceURL]/oauth2/callback/[registrationId]

      • NavVis IVION always requests three scopes from the authorization provider: openid, profile, and email. Additional scopes can be configured under Additional authorization scopes.

      • If you want users to be deleted from NavVis IVION when they are deleted from the identity provider, enable the toggle button.

      • If you want to map external user groups to NavVis IVION, enable the toggle button.

      • If you want to use Open ID Connect with IVION Go then in the Redirect URIs* field enter com.navvis.mdfa://iv/oauth2-response.

    5. Click Add connection.
    6. Use the toggle button to enable the connection.
  6. Log in to NavVis IVION with OpenID Connect.
    1. Access the login menu by singing out of NavVis IVION.
    2. Click the Continue with button.
    3. This will redirect you to the provider page where you log in.
    4. You will be redirected to NavVis IVION.

Mapping External User Groups to NavVis IVION (Enterprise Only)

If user groups have been created in NavVis IVION, the administrator can map these groups from an external authorization provider such as Keycloak. Once mapped, users that are part of a mapped group will be automatically added to this group in NavVis IVION when they log in.

Follow these steps to map external user groups to NavVis IVION:
  1. Go to Instance Settings > OpenID Connect.
  2. Set up a new OpenID connection or open an existing connection by clicking the pencil icon.
  3. Use the Map user groups from access token toggle button to enable the mapping of external user groups.
  4. Enter the required information under Group array JWT claim.
  5. If you want all users to be automatically added to the Everyone group, enable the toggle button.
  6. Click Save.
Changes made to group memberships in an external authorization system will now be automatically updated in NavVis IVION.
Note: When dot notation is not sufficient to express the custom group claim, use JSON path bracket notation instead.