Edit online

Single Sign-On in Content Fusion Enterprise

Oxygen Content Fusion Enterprise Server supports Single Sign-On by configuring a provider that supports the OpenID Connect protocol such as Microsoft Entra ID or Okta.

Note:
Content Fusion uses the email address provided by the Single Sign-On provider, unless the email_verified field is false for a particular user.
To enable Single Sign-On:
  1. Define a new application in the administration interface of your OpenID Connect provider to represent your Oxygen Content Fusion Enterprise Server deployment:
    1. When you are asked for a redirect URI, use the following value: https://<content-fusion-address>/api/oauthc/oidcId/callback where you replace <content-fusion-address> with the actual address of your server.
    2. After you define the application, you need to note the Client ID (or Application ID in some cases) and Client Secret that will be generated for you.
  2. On the machine where Content Fusion is installed, go to the Administration Page. In the Single Sign-On Authentication section, enable the Use OIDC single sign-on option and configure the fields listed there.
    For Okta:
    • Provider Name - Enter OKTA.
    • To retrieve the authorization, token, and user info endpoints, append /.well-known/openid-configuration to the Issuer URI of your Authorization Server. You can find the Issuer URI in Okta Admin Console > Security > API > Authorization Servers.

      For example, your discovery URL might look like:https://<okta-subdomain>.okta.com/oauth2/<authorizationServerId>/.well-known/openid-configuration

      where you must replace <okta-subdomain>with your Okta domain, and <authorizationServerId> with the actual ID of your Authorization Server.

    • Client ID - Enter the Client ID (or Application ID in some cases) that was generated in step one.
    • Client Secret - Enter the Client Secret that was generated in step one.

    For Entra ID:

    • Provider Name - Enter EntraID.
    • To retrieve the authorization, token, and user info endpoints, use: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration, where you must replace <tenant-id> with the Directory (tenant) ID from your registered application's overview in Azure Portal.
    • Client ID - Enter the Client ID (or Application ID in some cases) that was generated in step one.
    • Client Secret - Enter the Client Secret that was generated in step one.
  3. Make sure you click Save Configuration when you are finished.
  4. Restart the Content Fusion machine.
    sudo bash /fusion/admin/stop-content-fusion.sh
sudo bash /fusion/admin/start-content-fusion.sh

Result: Users will now have the option to log on to Content Fusion using the OpenID Connect provider.