Managing OpenID connect configuration
You can use OpenID connect to access the Service Center. The OpenID connect provider must be able to authenticate the user and provide claims to a relying party about the authentication event and the user.
Before you begin
- The provider is fully OIDC-compliant.
- The user registry is managed by IBM Security Identity Governance and Intelligence.
- The relying party, IBM Security Identity Governance and Intelligence, is reachable from the provider.
Parameter | Description |
---|---|
Provider name | The service that provides your OpenID connection. It is optional. |
Configuration | Select one of these two options:
|
Discovery URL | The URL from where the discovery OpenID configuration can be read. It is required if you selected Discovery configuration. |
Authorization URL | The initial endpoint that is contacted by the relying party to begin a
flow. This parameter is entered automatically if you selected Discovery configuration. |
Token URL | The endpoint that is used to exchange an authorization code for a token. This parameter is entered automatically if you selected Discovery configuration. |
JWK URL | The JSON web key endpoint that is used for signature verification. It is
optional. This parameter is entered automatically if you selected Discovery configuration. |
Certificate Alias | The label of the certificate that was uploaded to the trust store. This field is required when the signature algorithm is RS256 and the JWK URL is not provided. Otherwise, it is an optional field. |
Scope | The scopes that are associated with access tokens determine what resources are
available when they are used to access OpenID connect protected endpoints. The following example is
a non-normative example of scope: scope=openid profile email phone. This parameter is entered automatically if you selected Discovery configuration. |
Issuer identifier | The verifiable identifier for an issuer. An issuer identifier is a
case-sensitive URL that uses the HTTP scheme. It contains scheme, host, and optionally, port number
and path components. It cannot contain query or fragment components. This parameter is entered automatically if you selected Discovery configuration. |
RedirectToRPHostandPort | Specifies a redirect OpenID relying party host and port number. If there is a proxy in front of the relying party, you can override the host name and port with this URL. The format is https://reverseproxyhost:reverseproxyport/. This parameter must be entered manually and is required only if the relying party is behind reverse proxy and reverse proxy is not capable of filtering redirect URL. |
Signature algorithm | The algorithm that is used to sign the ID token that is issued by a provider. The default value is HS256. |
User ID to create subject | Sets the attribute to a claim name that is used by the vendor’s ID token that represents a user's unique identifier. |
Client ID | A publicly exposed string that is used by the service API to identify the application. It is also used to build authorization. |
Client secret | Secret is used to authenticate the identity of the application to the service API when the application requests to access a user account. It must be kept private between the application and the API. |
Domains | The domain that uses the OpenID connect as the authentication mechanism. Select Service Center. |
About this task
You can configure one or more than one OpenID providers. However, only one provider can be used to access the Service Center at any one time.
The OpenID Connect Provider feature is enabled by default on new installations of the current version. If you would rather use this feature, you must first disable OpenID Connect Provider.
If you upgraded from a previous version where you had this feature enabled, OpenID Connect Provider was automatically disabled. You can later decide whether you want to use an internal or an external provider.
Remember that while this feature is for authenticating users to the Service Center only, OpenID Connect Provider can authenticate users also to the virtual appliance local management interface and to the Administration Console.