12. Identity Manager

Requirements for Identity Provider Integration with PC-Duo

PC-Duo RAS v13.0 includes a new Identity Manager component that centralizes all authentication and directory search logic for the Server product (Web Console and Gateway Server). In v13.0, the built-in integrations are:

Computer directory services via Active Directory lookup (for Host Grouping by AD OU)
User directory services (user accounts and user groups) via:
Active Directory lookup for local accounts
Azure AD Graph API (https://graph.windows.net) for Azure AD accounts
User authentication via:
Win32 “LogonUser” call for local accounts
Azure AD authentication via OpenID Connect (https://login.microsoftonline.com/domain/).

OpenID Connect Assumptions/Requirements

PC-Duo v13.0 requires the following information from an OIDC provider:

PC-Duo usage	OIDC Claims (in order examined)
Id (unique account ID)	sub, oid
Account Name	upn, unique_name
Friendly Name (optional)	name
Email Address (optional)	email
Group Membership	groups

In v13.0 first release, the OpenID Connect integration assumes that the integration is with Microsoft Azure AD. When this is generalized, the following parameters will be configurable:

Parameter	Azure AD Example
OIDC Root URL	https://login.microsoftonline.com/
Domain Name	In Azure case, DNS name of domain, e.g. “proxynetworks.com”, appended to OIDC Root URL (e.g. https://login.microsoftonline.com/proxynetworks.com/).
Client ID	Now called “Application ID” in Azure, identifies the PC-Duo Server application instance
Application Key	Now called “Password” in Azure, allows application instance to authenticate to Azure services

The contents of 12. Identity Manager

Identity Manager Settings