Redgate Monitor 14

Authenticating with OpenID Connect

By default, users log in to Redgate Monitor using the passwords set by the administrator.

Alternatively, administrators can set Redgate Monitor to authenticate users with their OpenID Connect (OIDC) which can enable scenarios with single sign-on (SSO) or two-factor authentication. When a request is not authenticated Redgate Monitor will contact your identity provider and redirect to its login page. After the login credentials are verified the identity provider will redirect back to Redgate Monitor.

When using OpenID Connect administrators can restrict which servers users can access in the same way as when Active Directory authentication is used.

Configuring Authentication Provider

The first step to set up OpenID Connect is to register Redgate Monitor as an application in your identity provider. Specify the redirect URL for Redgate Monitor as is the URL that the Identity Provider will use after a user is authenticated.

Redgate Monitor will make the OpenID Connect authorization request using the "openid profile" scopes.

This step should also provide you with information like the ClientID (sometimes referred to as ApplicationId) that you will need to finish the setup in Redgate Monitor itself.

Switching to OpenID Connect authentication

OpenID Connect is only supported with HTTPS enabled. See here for more information on how to set up Redgate Monitor in IIS and here on how to set up in the default web server (Kestrel). When using IIS, application initialization should also be configured as described here.

Only administrators can switch to OpenID Connect authentication.

  1. In the Configuration page, under Users, click Authentication settings:

  2. Select Use OpenID Connect:
  3. A popup appears:
  4. Under Authority, enter the URL to reach your authentication provider. E.g.[tenant-id]/v2.0. This value will also be used to verify the issue of your id token through an exact match (including any trailing slashes).
  5. Enter the Client ID. It was returned by your Identity Provider after registering Redgate Monitor in it.
  6. Enter the Username claim name or Group claim name. This is the name of a claim that will be supplied by your identity provider after a user logs in and Redgate Monitor will use that information to identify which user logs on. Common examples of claim names to be used for the Username claim name field value are email or preferred_username. For the Group claim name a common example is groups.
  7. Define if Redgate Monitor should send ID token on logout. This will depend on which identity provider you will be using and is not required by default. However some providers like Okta require this option to be enabled as their specification requires the id token to be sent back when a logout is requested.

  8. Add an Administrator user or group. Normally it is the username of the Administrator of Redgate Monitor or a name of a user group to which an Administrator belongs to. It needs to map to the value returned in the field specified in Claim name before.

    We recommend you create an administrator group and specify this as the administrator account. This means you can add more users to the administrator group in your identity provider instead of configuring new users in Redgate Monitor.

  9. Click Save settings. Redgate Monitor logs you and all other users out.
  10. Access the login page for Redgate Monitor which should redirect you to your Identity Provider's login page.

Configuring OpenID Connect scopes

By default, Redgate Monitor will use openid and profile as the scopes for the authentication request. Some authentication providers may require additional scopes to return specific data like groups or an email field. You'll be able to configure these scopes by running the following these steps:

  1. Connect to your Redgate Monitor repository.
  2. Run the following script. It's important to keep the previously mentioned default scopes (“openid” and “profile”) and add any others you might need like “groups” or "email".

    Edit OpenID scopes used by Redgate Monitor

    INSERT INTO [settings].[KeyValuePairs] VALUES ('OIDC-Scope', 'openid profile <AnyAdditionalScope>', 'STRING')
  3. Restart Redgate Monitor’s website.

Switching from OpenID Connect authentication to default authentication

Only administrators can switch back from OpenID Connect authentication to default authentication.

  1. Log in to Redgate Monitor as an administrator.
  2. In the Configuration page, click Authentication settings.
  3. Select Basic authentication.
    The Confirm authentication changes window opens:

  4. Click Confirm. Redgate Monitor logs you and all other users out.
  5. Log in to Redgate Monitor with your Redgate Monitor credentials.

Switching back to basic authentication does not clear any OpenID Connect configuration stored in Redgate Monitor.

Didn't find what you were looking for?