3DS Admin OIDC support
Starting from release 22.214.171.124, there are two modes of authenticating the 3DS Admin UI users:
- Internal mode of authentication (the already present option) - the users will be managed by the 3DS Admin UI itself
- External mode of authentication - the users are managed by an external OIDC provider (IAM provider)
The two options are mutually exclusive, i.e. the 3DS Admin UI can either run the authentication in
The option for authenticating users against an external OIDC provider implies that the 3DS Admin UI now supports the OIDC protocol built on top of OAuth 2. Find more information on it in the official OIDC protocol documentation .
Configuration of the 3DS Admin UI authentication mode
The authentication mode of the 3DS Admin UI should be configured before its startup. For this purpose, a new configuration property was introduced:
The allowed values are
external. The default value is
internal, i.e. if not configured
differently, the users will be managed by the 3DS Admin UI itself (the users credentials are
stored encrypted in the 3DS Admin UI database).
If the preferred mode of authentication is
external, then OIDC-relevant data for the default organization and
the method for resolving the OIDC configuration identifier must also be configured for the Admin UI:
The allowed values are either
subdomain. The default value is
subdomain, i.e. if not
configured otherwise, the OIDC organization identifier will be resolved via the subdomain of the server from which
the request originated, rather than via the 'x-nca3dss-orgsubdomain' attribute of the HTTP request header.
Find more information on the properties in the 3DS Admin Configuration Properties.
Different OIDC providers in a multi tenant setup
In a multi tenant setup, different organizations could have different configured OIDC providers. For this purpose,
when the 3DS Admin runs in
external authentication mode, the Organization Management tab is adapted to
require the OIDC provider relevant inputs.
In a multi tenant setup, each organization will be accessible on a different subdomain, meaning each organization
will have its own URL to access the 3DS Admin. For example, if there is an organization with name
Netcetera and a subdomain assigned accordingly (‘netcetera’), then users of this organization can access the
3DS Admin on
netcetera.<admin-host>:<admin-port>. The subdomain can differ from the organization name.
Besides a subdomain, the 3DS Admin requires configuring client ID, client secret, an issuer URL and a list of allowed roles for an organization. The client ID and the client secret are the credentials that the client application (the 3DS Admin) is given at the point when it is registered to the OIDC provider, while the issuer URL is a URL that uniquely identifies the OIDC provider. Finally, the 3DS Admin controls what roles can be assigned to users of this organization and for that purpose there is input for allowed roles.
User management with external OIDC provider
If the preferred option of authentication is
external, any OIDC provider can be chosen. The management of the
OIDC provider and the users’ data management is left to the customer.
3DS Admin role based access control
The 3DS Admin allows the following roles to be assigned to a user:
The explanation of each is given on the picture below:
If any other role is assigned to a user, the 3DS Admin will ignore it. The 3DS Admin also controls what roles are allowed per organization. If a user from a certain organization is assigned with a role which is not allowed by the organization configuration, the 3DS Admin will ignore that role.
The OIDC provider has to be configured to return the user roles in a custom claim inside the ID token. The name of the claim can be configured via the threedss.external-iam.default-organization-oidc-provider.roles_claim_name property.
Health status of the external OIDC providers
The 3DS Admin gives information about the health of the configured OIDC providers through the standard health endpoint. The health of the OIDC providers does not affect the overall health status, meaning some OIDC providers can be down but the overall 3DS Admin health stays up.
Switching authentication modes
The authentication mode of the Admin UI can be switched back and forth (between
at any time. In order the change to take effect, the 3DS Admin should be restarted.