Server Administration Application – OpenID Connect Configuration

Documentation home

 

Introduction. 1

OpenID Connect Configuration Properties 1

OpenID Connect Configuration. 2

Digital Signature Verification. 2

Information Returned from Connection Provider 3

 

See also: Server Administration Application Home Page, OAuth Configuration, OpenID Connect, User Authentication, ADFS step by step configuration

 

Introduction

OpenID Connect configurations are created and maintained on the server using the Server Administration web application. They are saved in folder openIdConnectConfigurations in the ebaseConf folder of the web application e.g. userdata/apps/<webappname>/ebaseConf/openIdConnectConfigurations. These files can be copied between servers if required.

 

An OpenID Connect configuration represents a connection to a third party OpenID Connect system that provides external authentication e.g. Google Identity Platform, Salesforce, ADFS. The OpenID Connect protocol is an extension of OAuth 2.0 protocol; similarly an OpenID Connect configuration is based on an OAuth Configuration and provides a way of extending this to provide more properties required for OpenID Connect.

 

 

 

OpenID Connect Configuration Properties

 

 

OpenID Connect Configuration

Name

OpenID Connect configuration name.

OAuth Name

Select the appropriate OAuth Configuration from the dropdown

Description

An optional description.

OAuth Scope Override

A list of scope strings specific to the authorization server. This overrides the scope specified in the corresponding OAuth Configuration. This (or the OAuth Configuration scope if this field is blank) must include the string “openid”.

e.g. “openid email profile”

 

Digital Signature Verification

Public Keys URL

This URL is used to validate the signed JWT received from the provider. It can be obtained from the jwks_uri field of the provider's Discovery Document.

 

Information Returned from Connection Provider

The OpenID Connect provider will return a token containing a number of claims. This section describes how those claims are treated.

 

Claim name containing the userid

The name of the returned claim to be used as the userid. This is commonly “email”.

Claim name containing user roles

The name of the returned claim containing a list of roles to be associated with the user.

Automatically populate user credentials from claims

When checked, any returned claims (other than the userid and roles claims) will be treated as credentials.

Store Refresh Token Cookie

When checked, any refresh token returned will be saved as a cookie and this will be used to reconnect the user when OpenID Connect authorization is called in the event that the original session has expired.