Skip to content

How to get Started

Once the TCG Authorization Server is installed the TCG Authorization Server Web client is available.

For a normal user, the Web client provides the Home tab and the Session tab. A signed-in user can then use other applications, such as Primus Process Modeler and Process Monitor or external clients, such as, Document Review and Batch Review with single sign-on (SSO). SSO means that for the other applications you do no longer have to sign in. The Session tab shows all open sessions of the current user and allows to delete any issues tokens.

For an administrator user, the Web client provides several other tabs:

  • Management tab to manage the client applications.
  • Roles tab to list and optionally hide all roles and users that are available for role searches
  • Identity Provider to configure Active Directory and external identity provider integrations.

For more information on how to use the user interface, refer to the user interface topic.

Creating a new Client

To allow single sign-on for example for an external client for Primus, you need to create a new client Id and set its configuration.

Important An Administrator user only can add and maintain client IDs on the Management tab.

Perform the following steps to create a new client ID.

  1. From the Management tab click New Client Id. The Add New Client Id window is displayed.
  2. Enter the client ID that uniquely identifies your application.
  3. Optionally, enter the client secret. A client that has a client secret is called confidential client. A client secret is required when these credentials are used by a service in a client credentials grant type logon. In case of a non-confidential client like a SPA or WPF client, a client secret is not needed since it cannot be kept secret. Those clients are called public clients.
  4. Set the Authorization modes by selecting one or more items for: Client credentials, Password, and Authorization code.
  5. Optionally, set the introspection by selecting Yes. By default, the option is set to No. Only resource services that verify that a client is authorized to access resources require that.
  6. Optionally, you can give special permissions to daemons that sign in using client credentials. Chose an option of the additional permissions. By default, None is selected.
    • Authentication service admin: useful for daemons (services) that must have the permission to automatically configure the service. For example, the platform installer uses this permission.
    • Resource service: gives a system claim to daemons that are resource services. Platform services have this privilege.
    • Activity host: gives a system claim to a daemon that is not a resource service, but that still requires system permissions. For example, Activity Server processes get this permission.
  7. Add windows SIDs that the client always receives on the login. This option is only recommended for confidential clients, with the explicit use case of an Activity Server/Host that is intended to run with permissions of a technical user. In that case, the Activity Server should not get the Activity host additional permission.
  8. Add a uri for Redirect Uris for clients that use the authorization code flow. Without correct redirect uris, a web client cannot use the authorization code flow as the Authorization Server refuses to redirect to unknown redirect uris. The Redirect Uri is case sensitive.
    • For rich client applications it is sufficient to specify http://localhost/ to be able to use any port on localhost redirect URIs.
  9. Add a uri for Post Logout Redirect Uris. If needed, you can add several uris as needed. The uris are case sensitive.
  10. Click Create Client Id to create the new client Id with the configured settings. To close the window without saving any changes, click Back to Management.