Integrating OpenID Connect with Security Center SaaS for SSO

To integrate your corporate identity provider with Security Center SaaS for single sign-on, you must first prepare some information about your organization's OpenID Connect (OIDC) setup. Then contact the Genetec™ Technical Assistance Center (GTAC) to set up a call with you and your identity provider administrator to complete the integration.

1. To prepare for the call with Genetec, send the following information at least one day in advance:
   • Email contact for the identity provider administrator with sufficient privileges and expertise to set up an application integration for their identity provider.
   • Identity provider URL. For example, https://yourtenant.okta.com.
   • Domains used by the users during login. For example, for users who log in with myuser@company.com, the domain is company.com.
     Note:

     This list of domains must include the domains for your user’s emails and usernames. Corporate SSO will not work properly if the email and username domains are not configured for your integration.
2. In GTAC, open a support ticket for SSO, and include the information prepared earlier.
   1. The integrator typically initiates this ticket.
   2. Genetec verifies the information included in the ticket.
   3. Genetec schedules a call with the IT administrator to configure the OIDC SSO setup together.
3. Attend the setup call with Genetec to configure your new OIDC application.
   During the setup call, Genetec provides the following parameters to configure a new OIDC application integration for your Identity Provider:

   Redirect URL

   The redirect URL is in the following format: https://login.genetec.com/signin-oidc-xxxxxxxxxxxx. Your identity provider sends this URL back to the user after they have authenticated.

   Required scopes

   During the authentication request, these parameters specify what kind of information that login.genetec.com is allowed to request for your users. Genetec provides the expected values during the setup call so they can be authorized on your identity provider.

   Grant type

   Specifies how an application requests an access token.

   Response type

   Determines the outcome of an authorization request.

4. Configure user access for your new OIDC application integration.
   Note:

   When configuring user access, consider that this OIDC integration will be effective for the following:

   • Security Center SaaS
   • Genetec ClearID™
   • Genetec Clearance™
   • Genetec Cloudrunner™
   • Genetec Operations Center
   • Genetec Portal (genetec.com)
   • Genetec Technical Assistance Portal (GTAP)
   Genetec collects the following parameters from your recently configured OIDC application to configure the OIDC integration in our services:

   • Client ID
   • Client secret
5. Test your SSO integration.
   Genetec activates the OIDC integration in a testing sandbox and provides a test link during the setup call. If you successfully log in using the test link, your identity provider is returning the expected responses.
6. Move your SSO authentication integration out of the test environment.
   After the login test is complete, Genetec transfers server configurations from the test sandbox to enable third-party authentication for all users. Moving the integration out of the test environment activates it for all products and portals. This means that customers' users can sign in using the new OIDC integration for most Genetec online services and cloud products mentioned earlier in step 4.

   Note:

   Users must still be manually invited to your Security Center SaaS system.