UnifiedViews Single Sign-On (SSO)

12/08/2025

UnifiedViews Single Sign-On (SSO) introduces comprehensive OpenID Connect (OIDC) authentication capabilities, enabling organizations to integrate their existing identity providers with the UnifiedViews platform. This enhancement delivers multiple strategic benefits, including heightened security through established OIDC protocols, streamlined user access management, and extensive compatibility with diverse identity providers while maintaining support for traditional RDF-based authentication methods.

The implementation process has been engineered for straightforward deployment across UnifiedViews instances version 10.1.0 and above. Organizations can transition to OIDC authentication by configuring essential parameters such as issuer URL, client identification, authentication secrets, and defined scopes. This architectural approach ensures a seamless integration between UnifiedViews and organizational identity management infrastructure, establishing a robust and efficient authentication framework.

The new fields in the properties file:

oidc.enabled=
oidc.client-id=
oidc.client-secret=
oidc.scope=openid,profile,email
oidc.authorization-uri=
oidc.token-uri=
oidc.user-info-uri=
oidc.jwk-set-uri=
oidc.user-name-attribute=
oidc.client-name=
oidc.redirect-uri=
oidc.logout-uri=
oidc.admin.roles=

oidc.enabled: enables or disables OIDC authentication; example: true to activate OIDC mode

oidc.client-id: unique identified assigned to your application by the OIDC provider, for instance Azure AD

oidc.client-secretcode: a secret key used together with the client ID to authenticate the application with the OIDC provider

oidc.scope: a comma-separated list of scopes requested during authentication; common scopes include

openid (mandatory for OIDC)
profile (basic user information)
email (user's email address)

oidc.authorization-uri: the endpoint where users are redirected to authenticate.

oidc.token-uri: the endpoint the application uses to exchange the authorization code for an access token.

oidc.user-info-uri: the endpoint used to retrieve user information (such as name, email) after authentication.

oidc.jwk-set-uri: URI to the JSON Web Key Set used to verify the token's signature.

oidc.user-name-attribute: the attribute from the user info response that should be used as the username in the application (for example preferred_username).

oidc.client-name: a name used to identify this OIDC client

oidc.redirect-uri: the callback URL to which the OIDC provider will send the authorization response. Must match the one registered in your OIDC provider.

oidc.logout-uri: URI to redirect the user to when logging out, typically provided by the identity provider to end the session.

oidc.admin.roles: comma-separated list of roles that should be treated as administrators within the UV instance. Example: unifiedviews-admin.

The initial setup of UnifiedViews Single Sign On in Keycloak provides administrators with flexibility in realm configuration. Organizations may either establish a dedicated realm specifically for UnifiedViews SSO or modify an existing realm to accommodate the integration.
The subsequent configuration requires the designation of administrative roles and proper token management. Administrators must assign appropriate roles to users who require administrative privileges within UnifiedViews, such as the PoolParty SuperAdmin role. Essential to this process is the configuration of access tokens through the client scopes pathway, ensuring proper role mapping to both ID and access tokens.
Client scopes > roles > client scope details > mappers > realm_roles > add to ID token / add to access token
The next step involves retrieving the client secret from the credentials section
your_uv_realm > Clients > your_uv_client > Credentials > Client Secret
Now you need to edit the properties file. You only need to replace the realm names with your realm, change the client secret, client ID, choose your admin role and match the redirect URI with the redirect URI in your KC instance.

Example properties file

oidc.enabled=true
oidc.client-id=ppt-oidc
oidc.client-secret=<client_secret>
oidc.scope=openid,profile,email
oidc.authorization-uri=http://localhost:port/auth/realms/your-realm/protocol/openid-connect/auth
oidc.token-uri=http://localhost:port/auth/realms/your-realm/protocol/openid-connect/token
oidc.user-info-uri=http://localhost:port/auth/realms/your-realm/protocol/openid-connect/userinfo
oidc.jwk-set-uri=http://localhost:port/auth/realms/your-realm/protocol/openid-connect/certs
oidc.user-name-attribute=preferred_username
oidc.client-name=Keycloak
oidc.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
oidc.logout-uri=http://localhost:port/auth/realms/your-realm/protocol/openid-connect/logout
oidc.admin.roles=PoolPartySuperAdmin

The Well-Known Configuration File

The well-known configuration file contains essential information required for configuring UnifiedViews with EntraID.

This file can be retrieved from https://login.microsoftonline.com/[tenant]/v2.0/.well-known/openid-configuration.

Required Credentials and Configuration

Client ID
The client ID must be obtained separately as it is not included in the well-known file.
Location: Microsoft EntraID > Enterprise applications > Overview > Application ID
Client Secret
Generate the secret at: Microsoft EntraID > Enterprise applications > Manage > Certificates & Secrets > New Client Secret
Redirect URI Configuration
Configure in Azure at: Microsoft EntraID > Enterprise applications > Manage > Authentication > Web > Redirect URIs.
The URI must precisely correspond to the redirect URI specified in your properties file. The URI has to incorporate your selected client name and typically direct to the login page.

Important

The client secret cannot be accessed after initial creation. Ensure proper storage of this credential.

Role Configuration for Administrative Access

To establish proper role management:

Create administrative role
Navigate to: Microsoft EntraID > Enterprise applications > Manage > App Roles > Create App Role. Establish the UnifiedViews admin role (the name is customizable). Include this role designation in the oidc.admin.roles field within the properties file .
Role assignment
Assign the newly created role to designated administrative users. The system automatically includes this custom admin role in the token under the "roles" key.

Final Configuration

Configure the UnifiedViews properties file by incorporating:

Information from the well-known file
The obtained client ID
The generated client secret
The specified redirect URI
The designated administrative role

Example properties file

oidc.enabled=true
oidc.client-id=<YOUR_CLIENT_ID>
oidc.client-secret=<YOUR_CLIENT_SECRET>
oidc.scope=openid,profile,email
oidc.authorization-uri=https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize
oidc.token-uri=https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
oidc.user-info-uri=https://graph.microsoft.com/oidc/userinfo
oidc.jwk-set-uri=https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys
oidc.user-name-attribute=preferred_usernameoidc.client-name=AD
oidc.redirect-uri=http://localhost:port/unifiedviews/login/oauth2/code/AD
oidc.logout-uri=https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/logout
oidc.admin.roles=unifiedviews-admin

Caution

With the setting oidc.enabled=true DPUs will not be automatically imported during fresh installation. Users can import these in UnifiedViews at any time.

This mostly relates to the output of GET /migrate/schedules/getAll. The only required change affect the owner field where you only need to replace "owner":"localUser" with "owner": "OIDCUser".

In this section:

UnifiedViews Single Sign-On (SSO)

Supported OIDC Providers

Important

Caution