Toggle menu
  1. Community Area
  2. Release Notes
  3. Video Guides
  4. gossinteractive.com
  5. MyGOSS

OpenID Connect

Connect to any provider that conforms to the OpenID Connect specification. The OpenID Connect Provider (ie whatever it is that holds all of the user data) will need to supply a client ID and secret, as well as a discovery endpoint URL.

The provider will also need to know the re-entry target of the Authentication worker, which in a standard installation will be https://server-host-name/apiserver/auth/http/reentry - all subsites using this provider should enforce HTTPS in their Subsite Properties.

Intermittent login problem with Azure
In March 2023 Microsoft increased the size of their code and refresh tokens. Their recommendation is to set the response_mode to form_post, which can be done using the requestPostResponse parameter below.

Parameters

As well as the parameters described in Base Provider Parameters, the following must be set in the params object.

NameTypeComments
Required
clientIdStringThe Client ID from the identity provider
discoveryEndpointUrlStringThe location of the provider's discovery document found at a "well-known" location
secretStringThe Client secret from the identity provider
userProfileAttributeMappingObjectMaps profile properties (left) to the Authentication Worker's UserProfile class fields (right)

Only the UNIQUEID field is required. See Site User Profile Mapping for further information

"userProfileAttributeMapping": {
    "mapping": {
        "SUB": {
            "mappings": ["UNIQUEID"]
        },
        "NAME": {
            "mappings": ["PREFERREDNAME"]
        },
        "GIVEN_NAME": {
            "mappings": ["FORENAMES"]
        },
        "FAMILY_NAME": {
            "mappings": ["SURNAME"]
        },
        "EMAIL": {
            "mappings": ["EMAIL"]
        }
    }
}
Optional
clockSkewIntegerA number of seconds to allow for discrepancies between clocks on local and remote servers. Default 0
debugLoggingBooleanDefault: false

If enabled the JWT Token and Attribute Mapping Values will be logged, simplifying the process of creating a mapping
requestPostResponseBooleanDefault: true

If true, Form Post Response Mode is enabled. This adds response_mode=form_post to the authorizationURL. This is recommended for Azure
requestUserInfoBooleanIf true the provider will make an additional call to the userinfo_endpoint to retrieve information. In most circumstances this is not needed as the data is in the id_token
responsetypeStringSpace delimited list of responses requested. Any of:

code
token
id_token
none

Default: "id_token token"
scopesStringSpace delimited scopes to request from the provider

Default: "openid"
shouldUseSingleSignOutBooleanDefault: true

Whether or not logging out should terminate the sessions of all applications involved. If false logging out of the iCM powered site will not log the user out of, eg their Azure account
tokenSigningCertFilePathString (File path)Default: null

Optional path to a PEM encoded .cer file containing the certificate to use. Certificates should be stored in the ${APISERVER}/data/auth directory, eg ${APISERVER}/data/auth/adfs-providername/adfs-token-signing.cer
tokenSigningKeyStringA key to use instead of a certificate

User Profile Data

We request the following information about a user. The properties are automatically mapped to the Authentication Worker's UserProfile class. These properties are then mapped to actual fields in a site user's profile, following the mappings set up in the userProfileToObjectFieldMapping property of the Worker Configuration Properties.

PropertyMapped ToComments
subUNIQUEIDThe unique subject identifier for the user at the issuer
namePREFERREDNAMEFull name
given_nameFORENAMESFirst name
family_nameSURNAMELast name
emailEMAILThe user's preferred email address

See the Linking Providers, Account and Profile Management article for information about how profiles and email addresses are updated.

Example

This example shows three different providers, all using the OpenID type. The first connects to the API Server's own OAuth worker (a premium service).

{
    "providerName": "icmOIDC",
    "providerDisplayName": "icm OpenID Connect",
    "type": "openid",
    "userPrefix": "ICMOIDC_",
    "params": {
        "checkConsentToStoreData": false,
        "failIfConsentNotGiven": true,
        "clientId": "...",
        "secret": "...",
        "discoveryEndpointUrl": "https://demosite.gossinteractive.com/apiserver/oauth/http/.well-known/openid-configuration"
    }
}, {
    "providerName": "googleOID",
    "providerDisplayName": "google OpenID Connect",
    "type": "openid",
    "userPrefix": "GOID_",
    "params": {
        "checkConsentToStoreData": false,
        "failIfConsentNotGiven": true,
        "clientId": "123...456-idj...i0.apps.googleusercontent.com",
        "secret": "wmX.....-.....KiQ",
        "discoveryEndpointUrl": "https://accounts.google.com/.well-known/openid-configuration"
    }
}, {
    "providerName": "azureOID",
    "providerDisplayName": "azure OpenID Connect",
    "type": "openid",
    "userPrefix": "AOID_",
    "params": {
        "checkConsentToStoreData": false,
        "failIfConsentNotGiven": true,
        "clientId": "7f0...-...-...-...7de",
        "secret": "Zjgq...IKME=",
        "discoveryEndpointUrl": "https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration"
    }
}

Last modified on 11 April 2024

Share this page

Facebook icon Twitter icon email icon

Print

print icon