1. Dualog Support
  2. GETTING STARTED
  3. Dualog Identity

Dualog Identity - Setting Up Ship Integrations

Avatar
Andrea
Follow

INTRODUCTION

This article explains how to configure Single Sign-On (SSO) for applications running on vessels. Ship-side integrations enable crew to authenticate to onboard applications using their Dualog credentials, even when the vessel is offline.

Dualog Identity supports two types of ship integrations:

  • OIDC Single Sign-On: For applications that support OpenID Connect
  • Active Directory Provisioning: For syncing users to Windows Active Directory domains on ships

This article covers OIDC integrations. For Active Directory, see Active Directory Integration.

HOW SHIP-SIDE AUTHENTICATION WORKS

Each vessel runs a local identity server that:

  • Authenticates users for onboard applications
  • Works fully offline
  • Syncs configuration from the cloud within minutes when connected

When you create a ship integration in the Dualog Portal, the configuration syncs to the vessel's identity server automatically.

PREREQUISITES

Before setting up a ship integration, you need:

  • Administrator access to the Dualog Portal
  • The application must support OpenID Connect (OIDC)
  • The application must be able to reach the vessel's Dualog server

Important: Ship-side integrations require the ship-side identity server, which is part of Dualog Connection Suite. The vessel must have Connection Suite installed and configured. See Ship-Side Identity Server for setup instructions.

Note: The ship-side identity server address varies by vessel configuration. It may be accessed via hostname (if the vessel has a domain) or IP address. Contact your IT administrator for the specific address on each vessel.

CREATING A SHIP OIDC INTEGRATION

  1. Log in to https://apps.dualog.com
  2. Navigate to https://apps.dualog.com/integrations
  3. Click New Integration
  4. When asked "Where is the application running?", select:
    "Installed On-Premise"
  5. Select Single Sign-On / provisioning:
    "Configure a connection between a Dualog service and an external application for Single Sign-On or provisioning using OpenID Connect (OIDC)."

CONFIGURING THE INTEGRATION

Basic Information

  • Service Provider Name: A friendly name for this integration (e.g., "Vessel PMS", "E-Logbook")
  • Logo: (Optional) Upload a logo for the application

Grant Type

Choose the OAuth grant type:

  • Authorization Code: Recommended for web applications with a backend server
  • Password: For applications that require direct username/password authentication (legacy applications)

Redirect URIs

  • Sign-in Redirect URI: The URL where users are sent after successful authentication. This will be a local URL on the vessel (e.g., http://localhost:8080/callback or similar).
  • Sign-out Redirect URI: (Optional) The URL where users are sent after signing out.

User Activity Logging

  • Log user activity: Enable this to log all authentication events for this application

When enabled, authentication events are logged and can be viewed in the User Activity dashboard. See User Activity and Audit Logs for more information.

Saving the Integration

Click Save to create the integration. You will receive:

  • Client ID: The unique identifier for this integration
  • Client Secret: The secret key for authentication

Important: Copy the Client Secret immediately and store it securely.

ACCESS CONTROL FOR SHIP INTEGRATIONS

Ship-side integrations automatically enforce that users must be signed onto that specific vessel to authenticate. This means:

  • A user assigned to Vessel A cannot authenticate to applications on Vessel B
  • When a user's contract ends, they immediately lose access to ship-side applications
  • Access follows the user's current ship assignment

Note: The user's rank is included in authentication tokens, so third-party applications can implement their own rank-based access control if needed.

CONFIGURING YOUR APPLICATION

After creating the integration, configure your application to use the ship-side identity server.

Ship-Side OIDC Endpoints

The ship-side identity server uses the same OIDC endpoint structure as the cloud, but with the local server address. Your application will need:

OIDC Endpoints

Endpoint URL
Issuer https://<Dualog-Server-Address>/auth
Authorization https://<Dualog-Server-Address>/auth/connect/authorize
Token https://<Dualog-Server-Address>/auth/connect/token
User Info https://<Dualog-Server-Address>/auth/connect/userinfo
JWKS https://<Dualog-Server-Address>/auth/.well-known/openid-configuration/jwks
End Session https://<Dualog-Server-Address>/auth/connect/endsession
Discovery Document https://<Dualog-Server-Address>/auth/.well-known/openid-configuration

CLAIMS SENT TO APPLICATIONS

The ship-side identity server sends the following information about users:

  • User identifier (subject)
  • Name (given name, family name, display name)
  • Email address
  • Rank: included in authentication tokens

Applications can use the rank claim to implement additional access control logic.

SYNC BEHAVIOR

When you create or modify a ship integration in the Dualog Portal:

  • Changes sync to vessels within minutes when they have connectivity
  • The integration becomes available on all vessels (but access is controlled by user ship assignments)
  • Vessels that are offline will receive the configuration when they next connect

MANAGING SHIP INTEGRATIONS

Viewing and Editing

  1. Go to https://apps.dualog.com/integrations
  2. Click on the integration to view or edit

Regenerating Client Credentials

If you need to rotate your Client Secret for security reasons:

  1. Open the integration
  2. Use the regenerate option to create new credentials
  3. Update your application with the new Client Secret

Deleting an Integration

  1. Go to https://apps.dualog.com/integrations
  2. Click on the integration to open it
  3. Click Delete
  4. Confirm the deletion

Warning: Deleting an integration will prevent users from authenticating to that application on all vessels once the change syncs.

TROUBLESHOOTING

Users cannot access the application

  • Verify the user is signed onto the correct vessel
  • Check the user's contract dates are current

Authentication fails

  • Verify the application can reach the ship's Dualog server
  • Check the Client ID and Client Secret are correct
  • Ensure the Redirect URI matches exactly

Changes not appearing on the vessel

  • Changes sync within minutes when connected
  • Verify the integration was saved successfully in the portal
  • Ensure the Dualog server is online and able to talk to the Dualog Cloud

RELATED ARTICLES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more