Setup

The following steps are required to set up SSO (single sign-on) in Lobster Integration. You need a license for this functionality.

./etc/factory.xml

Add the following section to configuration file ./etc/factory.xml.

<Call name="addService">
	<Arg>com.ebd.hub.services.identity.ExternalIdentityProviderService</Arg>
	<Arg>etc/external_identity_providers.xml</Arg>
</Call>

./etc/external_identity_providers.xml

Now you have to configure the SSO servlet in the configuration file ./etc/external_identity_providers.xml. You can use the entries as below. The alias for DataCockpit is only necessary if you are using this add-on module.

In the last step, at least one identity provider must be specified, shown here using Azure as an example. How to get the values for the OAuth2 parameters is described in the documentation of the respective provider. So Client ID, Client Secret and for Azure also the Tenant ID. The alias is freely assigned by you.

For new installations (not updates) from version 4.6.9, the file ./etc/hub.xml only applies to Lobster Integration communication (e.g. HTTP and AS2) and the file ./etc/admin.xml applies to the Admin Console and the Lobster Integration GUI.

Previously, the file ./etc/hub.xml applied to Lobster Integration communication and the Lobster Integration GUI and file ./etc/admin.xml only applied to the Admin Console.

→ In this case, do not use "Main Server" as the server name, but "Administrative Server". Note: In general, the HTTP server via which the Lobster Integration GUI runs must be specified here for the server name.

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC
 "-//Lobster//DTD Configure 1.0//EN"
 "http://www.lobster.de/dtd/configure_1_1.dtd">
<Configure class="com.ebd.hub.services.identity.ExternalIdentityProviderService">
 
    <Call name="setSSOServletConfig">
        <!-- Server Name --><Arg>Main Server</Arg>
        <Call name="addAlias">
            <!-- Alias -->
            <Arg>datacockpit</Arg>
            <!-- Servlet URL -->
            <Arg>https://YOUR_HOST_IP/idp/DataCockpit/</Arg>
            <!-- Login URL for Alias -->
            <Arg>https://YOUR_HOST_IP/DataCockpit</Arg>
        </Call>
        <Call name="addAlias">
            <!-- Alias -->
            <Arg>_data</Arg>
            <!-- Servlet URL -->
            <Arg>https://YOUR_HOST_IP/idp/_data</Arg>
            <!-- Login URL for Alias -->
            <Arg>https://YOUR_HOST_IP/_data</Arg>
        </Call>
    </Call>
 
<!-- OKTA SSO with Generic Template -->
<!--
    <Call name="addProvider">
      <Arg>
        <New class="com.ebd.hub.services.identity.GenericOAuth2Provider">
          <!-- Alias -->
          <Arg>genericOauth2</Arg>
          <!-- ClientID -->
          <Arg>YOUR_CLIENT_ID</Arg>
          <!-- Client Secret -->
          <Arg>YOUR_CLIENT_SECRET</Arg>
          <Set name="authorizeUrl">https://YOUR_OKTA.okta.com/oauth2/v1/authorize</Set>
          <Set name="tokenUrl">https://YOUR_OKTA.okta.com/oauth2/v1/token</Set>
          <!--
          <Set name="userInfoUrl">https://userInfoURL</Set>
          -->
          <!-- specify openid request scopes -->
          <Set name="scope">openid</Set>
        </New>
      </Arg>
    </Call>
-->
<!--
    <Call name="addProvider"><Arg>
        <New class="com.ebd.hub.services.identity.AzureOAuth2Provider">
            <!- - Alias      - -><Arg>azure</Arg>
            <!- - Tenant         - -><Arg>common</Arg>
            <!- - ClientID       - -><Arg>YOUR_CLIENT_ID</Arg>
            <!- - Client Secret  - -><Arg>YOUR_CLIENT_SECRET</Arg>
        </New>
    </Arg></Call>
-->
<!--
    <Call name="addProvider"><Arg>
        <New class="com.ebd.hub.services.identity.GoogleOAuth2Provider">
            <!- - Alias      - -><Arg>google</Arg>
            <!- - ClientID       - -><Arg>YOUR_CLIENT_ID</Arg>
            <!- - Client Secret - -><Arg>YOUR_CLIENT_SECRET</Arg>
        </New>
    </Arg></Call>
-->
<!--
    <Call name="addProvider"><Arg>
        <New class="com.ebd.hub.services.identity.AmazonOAuth2Provider">
            <!- - Alias      - -><Arg>amazon</Arg>
            <!- - ClientID       - -><Arg>YOUR_CLIENT_ID</Arg>
            <!- - Client Secret - -><Arg>YOUR_CLIENT_SECRET</Arg>
        </New>
    </Arg></Call>
-->
<!--
    <Call name="addProvider"><Arg>
        <New class="com.ebd.hub.services.identity.FacebookOAuth2Provider">
            <!- - Alias      - -><Arg>facebook</Arg>
            <!- - ClientID       - -><Arg>YOUR_CLIENT_ID</Arg>
            <!- - Client Secret - -><Arg>YOUR_CLIENT_SECRET</Arg>
        </New>
    </Arg></Call>
-->
</Configure>

Redirect URL

You must specify a redirect URL on the site of your respective provider (e.g. Google), which has the following format for Lobster Integration.

https://<IP or URL Integration Server>/idp/_data/<alias of SSO provider>/callback

Example: https://mydata.example.com/idp/_data/google/callback

Adding SSO Provider for User and Login

Once the SSO setup is complete, you can now add an SSO provider to a user.

images/download/attachments/137300780/1299-version-1-modificationdate-1683619457785-api-v2.png

images/download/attachments/137300780/1300-version-1-modificationdate-1683619457782-api-v2.png

images/download/attachments/137300780/1301-version-1-modificationdate-1683619457787-api-v2.png

(1) Select an SSO provider via the context menu (here Azure). You will then be redirected to an external page where you have to enter your credentials, here for your Microsoft account. This login is only necessary once. Note: If you are already logged in to your Microsoft account, this step happens in the background.

(2) Once you have performed (1), you will see the added SSO provider. You can now log in to Lobster Integration via SSO, see (3).

(3) Click here.

(4) Click here.