AX1446

Using OpenID Authentication

You can enable OpenID Authentication for Axiom Enterprise Decision Support, so that users are authenticated based on a designated OpenID provider (such as Google OpenID Connect).

OpenID Authentication behavior

OpenID Authentication is a web-based authentication method. Users access Axiom Enterprise Decision Support by going to the Axiom Web Client in a browser. Users must enter their user name and password for their OpenID provider. Once they are authenticated, if the user name matches a user name in Axiom Enterprise Decision Support, then the user can access the Axiom Web Client or install / launch the Axiom Excel Client or Windows Client from the web page.

Users assigned to OpenID Authentication can only access Axiom Enterprise Decision Support from the web. The Excel Client and Windows Client cannot subsequently be launched using a shortcut on the user's computer; the user must continue to log into the Axiom Web Client in order to start the Desktop Client. When using OpenID Authentication, you may want to configure the Axiom Application Server installation so that no shortcuts are placed on user computers during the client installation, since users will not be able to use these shortcuts.

Setting up OpenID Authentication

The following summarizes the setup process for OpenID Authentication.

1. OpenID Authentication must be enabled for the system.

   For on-premise systems, OpenID Authentication can be enabled during the Axiom Application Server installation. If you did not enable it during the original installation, you can use Repair to change the installation to enable it. For more information, see the Installation Guide.

   When you enable OpenID Authentication for Axiom Enterprise Decision Support, you must specify the Client ID and Client Secret for your OpenID provider.

   For Axiom Cloud systems, Axiom Support will enable OpenID Authentication for you as part of the system setup, if that is your chosen authentication method.

2. Complete any additional configuration requirements to enable OpenID Authentication.

   At minimum, you must configure the OpenID provider with the redirect URI to the Axiom Enterprise Decision Support login page (such as <URLtoAxiom>/openid/login). Other setup steps may be necessary, depending on your particular configuration. Please contact Axiom Support as needed for assistance in completing the OpenID Authentication setup.

3. In security, Axiom Enterprise Decision Support users must be set up as follows to support OpenID Authentication:

   • The user's Axiom Enterprise Decision Support login name must match their login name for the OpenID provider, including the @suffix.

   • The user's Authentication method must be set to OpenID.

If you are an administrator and you need to test the security settings of an OpenID Authentication user, you can use the Log in as selected user feature to log in to Axiom Enterprise Decision Support as that user. For more information, see Testing user security.

Logging in as an Axiom Prompt user when OpenID Authentication is enabled

You can also set up Axiom Prompt users when OpenID Authentication is enabled, such as to allow Axiom Support to access the system without giving them credentials for the OpenID identity provider. These users must go a special area of the web site in order to log in: