By default, users log in to Redgate Monitor using the passwords set by the administrator.

Alternatively, administrators can set Redgate Monitor to authenticate users with their OpenID Connect (OIDC) which can enable scenarios with single sign-on (SSO) or two-factor authentication. When a request is not authenticated Redgate Monitor will contact your identity provider and redirect to its login page. After the login credentials are verified the identity provider will redirect back to Redgate Monitor.

When using OpenID Connect administrators can restrict which servers users can access in the same way as when Active Directory authentication is used.

Configuring Authentication Provider

The first step to set up OpenID Connect is to register Redgate Monitor as an application in your identity provider. The following are the expectations for your OIDC configuration on the identity provider side:

Specify the redirect URL for Redgate Monitor as https://yourRedgateMonitorHost.com/openidconnectaccount. This is the URL that the Identity Provider will use after a user is authenticated.

Specify the sign-out URL for Redgate Monitor as https://yourRedgateMonitorHost.com/signout-callback-oidc. This is the URL that the Identity Provider will use when a user attempts to sign-out.

Redgate Monitor will make the OpenID Connect authorization request using the "openid profile" scopes, and the token grant-type should be an implicit with only an ID token enabled.

When configuring your identity provider, you should also take note of information like the ClientID (sometimes referred to as ApplicationId) and the metadata endpoint that you will need to finish the setup in Redgate Monitor itself. 

Group Claim Limitations

It is common that OpenID Connect providers will limit the number of groups that are included in an OIDC token for performance reasons. If your organization's identity provider contains a large number of groups then you may need to do some additional configuration inside your identity provider before it can be used with Monitor.

When using Azure Entra ID as your provider, the limit is 200. It is recommended to set the returned group types in the token to Groups assigned to the application so that only the groups relevant to Monitor are included. See here for information on how to do this.

When using Okta as your provider, the limit is 100. You must use the Groups claim filter field when setting up your OIDC token for integration with Monitor to ensure it does not exceed this limit. See the documentation for more information. 

Other providers may have similar limits on the number of groups. We recommend you consult the official documentation of your provider regarding group claims if you think this may be an issue for your organization.

Switching to OpenID Connect authentication

1. In the Configuration page, under Users, click Authentication settings:
   
   
   
   
2. Select Use OpenID Connect:
   
3. A popup appears:
   
4. Under Authority, enter the URL to reach your authentication provider. E.g. https://login.microsoftonline.com/[tenant-id]/v2.0. This value will also be used to verify the issue of your id token through an exact match (including any trailing slashes). If you have a metadata endpoint (e.g. ending in .well-known/openid-configuration) it should be the URI before that ending.
5. Enter the Client ID. It was returned by your Identity Provider after registering Redgate Monitor in it.
6. Enter the Username claim name or Group claim name. This is the name of a claim that will be supplied by your identity provider after a user logs in and Redgate Monitor will use that information to identify which user logs on. Common examples of claim names to be used for the Username claim name field value are email or preferred_username. For the Group claim name a common example is groups.

7. Define if Redgate Monitor should send ID token on logout. This will depend on which identity provider you will be using and is not required by default. However some providers like Okta require this option to be enabled as their specification requires the id token to be sent back when a logout is requested.

8. Add an Administrator user or group. Normally it is the username of the Administrator of Redgate Monitor or a name of a user group to which an Administrator belongs to. It needs to map to the value returned in the field specified in Claim name before.

   We recommend you create an administrator group and specify this as the administrator account. This means you can add more users to the administrator group in your identity provider instead of configuring new users in Redgate Monitor.

9. Click Save settings. Redgate Monitor logs you and all other users out.
10. Access the login page for Redgate Monitor which should redirect you to your Identity Provider's login page.

Configuring OpenID Connect scopes

By default, Redgate Monitor will use openid and profile as the scopes for the authentication request. Some authentication providers may require additional scopes to return specific data like groups or an email field. You'll be able to configure these scopes by running the following these steps:

1. Connect to your Redgate Monitor repository.

2. Run the following script. This will add additional scopes on to the default openid  and profile scopes that Monitor uses.

   Edit OpenID scopes used by Redgate Monitor

   INSERT INTO [settings].[KeyValuePairs] VALUES ('OIDC-Scope', '<AdditionalScope> <OtherAdditionalScope>', 'STRING')

3. Restart Redgate Monitor’s website.

Switching from OpenID Connect authentication to default authentication

1. Log in to Redgate Monitor as an administrator.
2. In the Configuration page, click Authentication settings.
3. Select Basic authentication.
   The Confirm authentication changes window opens:
   
    
4. Click Confirm. Redgate Monitor logs you and all other users out.
5. Log in to Redgate Monitor with your Redgate Monitor credentials.