Server Administration Application – OpenID Connect Configuration
OpenID
Connect Configuration Properties
Digital
Signature Verification
Information
Returned from Connection Provider
See also: Server Administration Application Home Page, OAuth Configuration, OpenID Connect, User Authentication, ADFS step by step configuration
OpenID Connect configurations are created and maintained on the server using the Server Administration web application. They are saved in folder openIdConnectConfigurations in the ebaseConf folder of the web application e.g. userdata/apps/<webappname>/ebaseConf/openIdConnectConfigurations. These files can be copied between servers if required.
An OpenID Connect configuration represents a connection to a third party OpenID Connect system that provides external authentication e.g. Google Identity Platform, Salesforce, ADFS. The OpenID Connect protocol is an extension of OAuth 2.0 protocol; similarly an OpenID Connect configuration is based on an OAuth Configuration and provides a way of extending this to provide more properties required for OpenID Connect.
Name |
OpenID Connect configuration name. |
OAuth Name |
Select the appropriate OAuth Configuration from the dropdown |
Description |
An optional description. |
OAuth Scope Override |
A list of scope strings specific to the authorization server. This overrides the scope specified in the corresponding OAuth Configuration. This (or the OAuth Configuration scope if this field is blank) must include the string “openid”. e.g. “openid email profile” |
Public Keys URL |
This URL is used to validate the signed JWT received from the provider. It can be obtained from the jwks_uri field of the provider's Discovery Document. |
The OpenID Connect provider will return a token containing a number of claims. This section describes how those claims are treated.
The name of the returned claim to be used as the userid. This is commonly “email”. |
|
Claim name containing user roles |
The name of the returned claim containing a list of roles to be associated with the user. |
Automatically populate user credentials from claims |
When checked, any returned claims (other than the userid and roles claims) will be treated as credentials. |
Store Refresh Token Cookie |
When checked, any refresh token returned will be saved as a cookie and this will be used to reconnect the user when OpenID Connect authorization is called in the event that the original session has expired. |