Setting Up OpenID Connect (Enterprise Only)

Introduction to SSO and OIDC

With NavVis IVION, you can seamlessly configure Single Sign-On (SSO) using OpenID Connect (OIDC), a widely adopted authentication protocol. OIDC enables users to sign in through their organization's Identity Provider (IdP), ensuring secure and centralized authentication.

Once authenticated by the IdP, users are automatically granted access to NavVis IVION with their assigned roles and permissions, eliminating the need for separate login credentials. This enhances security, simplifies user management, and improves the overall login experience.

Key benefits of SSO with OIDC in NavVis IVION:

• Seamless access: Users log in once and gain instant access without additional authentication.

• Enhanced security: Authentication is managed by your IdP, reducing password-related risks.

• Simplified user management: Admins can control access centrally via user roles and group mappings.

• Improved user experience: No need to remember multiple credentials—just sign in through your existing SSO provider.

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication mechanism that allows users to log in once and access multiple applications without re-entering credentials. It works by having a central Identity Provider (IdP) verify the user's credentials and issue a secure token, granting seamless access to connected services. SSO improves security, efficiency, and user experience by reducing password fatigue and enabling centralized access control. It is commonly implemented using protocols like OpenID Connect (OIDC) or SAML and is widely used in applications for streamlined authentication across services.

What is OpenID Connect (OIDC)?

OpenID Connect (OIDC) is a modern authentication protocol built on top of OAuth 2.0 that enables secure, reliable, and seamless user authentication. It allows applications to verify user identities through a Single Sign-On (SSO) provider, such as Okta, Microsoft Entra ID (formerly Azure AD), or Google Identity Platform.

In NavVis IVION, OpenID Connect simplifies federated authentication, allowing organizations to integrate their existing identity management systems. By delegating authentication to an OIDC-compliant Identity Provider (IdP) and leveraging OAuth 2.0 for authorization, NavVis IVION supports role-based access management and ensures a secure, scalable, and industry-standard approach to user authentication while improving user experience and administrative control.

Setup Single Sign On for NavVis IVION using OpenID Connect (Enterprise & Pro only)

Before getting started, you need to set up an identity provider of your choice. For guidance on configuring your chosen identity solution, refer to its official documentation. Once your identity provider is set up, follow these steps to integrate OpenID Connect with your preferred authorization provider.

Procedure

1. Configure to use this client.

   • Go to your instance.

   • On your instance dashboard, go to Instance Settings > OpenID Connect.

   • Click Add new connection.

   • In the dialog that opens, enter the required information.

     • The Issuer URL is the URL for your realm in your IDP.

     • You can get the Client Secret from the Credentials tab from your IDP client page.

     • The Redirect URIs is usually your NavVis IVION URL.

       Note: Some authorization providers require a complete redirect URI, e.g.[instanceURL]/oauth2/callback/[registrationId]

     • NavVis IVION always requests three scopes from the authorization provider: openid, profile, and email. Additional scopes can be configured under Additional authorization scopes.

     • If you want users to be deleted from when they are deleted from the identity provider, enable the toggle button.

     • If you want to map external user groups to NavVis IVION, enable the toggle button.

       Note: If you want to use Open ID Connect with NavVis IVION Go refer here.

       

2. Click Add connection.

3. Use the toggle button to enable the connection.

Your organization is now set up to authenticate users through Single Sign-On via OpenID Connect. When users log into NavVis IVION using the "Continue sign in with …" option, they will be automatically added to IVION User Management. In order to setup automatic User Group Mapping follow the instructions below.

Mapping External User Groups to NavVis IVION (Enterprise Only) ​

If user groups have been created in NavVis IVION, the administrator can map these groups from an external IDP. Once mapped, users that are part of a mapped group will be automatically added to this group in NavVis IVION when they log in.

Procedure

1. Go to Instance Settings >  OpenID Connect.

2. Set up a new OpenID connection or open an existing connection by clicking the pencil icon.

3. Use the Map user groups from access token toggle button to enable the mapping of external user groups.

4. Enter the required information under Group array JWT claim.

   

5. If you want all users to be automatically added to the Everyone group, enable the toggle button.

6. Click Save.

Changes made to group memberships in an external authorization system will now be automatically updated in NavVis IVION.