OpenID Connect

Connect to any provider that conforms to the OpenID Connect specification. The OpenID Connect Provider (ie whatever it is that holds all of the user data) will need to supply a client ID and secret, as well as a discovery endpoint URL.

The provider will also need to know the re-entry target of the Authentication worker, which in a standard installation will be https://server-host-name/apiserver/auth/http/reentry - all subsites using this provider should enforce HTTPS in their Subsite Properties.

Parameters

As well as the parameters described in Base Provider Parameters, the following must be set in the params object.

Name	Type	Comments
Required
clientId	String	The Client ID from the identity provider
discoveryEndpointUrl	String	The location of the provider's discovery document found at a "well-known" location
secret	String	The Client secret from the identity provider
userProfileAttributeMapping	Object	Maps profile properties (left) to the Authentication Worker's UserProfile class fields (right) Only the UNIQUEID field is required. See Site User Profile Mapping for further information "userProfileAttributeMapping": { "mapping": { "SUB": { "mappings": ["UNIQUEID"] }, "NAME": { "mappings": ["PREFERREDNAME"] }, "GIVEN_NAME": { "mappings": ["FORENAMES"] }, "FAMILY_NAME": { "mappings": ["SURNAME"] }, "EMAIL": { "mappings": ["EMAIL"] } } }
Optional
authUiLocales	String	Sets ui_locales in the authentication request, for example "cy"
clockSkew	Integer	A number of seconds to allow for discrepancies between clocks on local and remote servers. Default 0
debugLogging	Boolean	Default: false If enabled the JWT Token and Attribute Mapping Values will be logged, simplifying the process of creating a mapping
requestPostResponse	Boolean	Default: true If true, Form Post Response Mode is enabled. This adds response_mode=form_post to the authorizationURL. This is recommended for Azure. Set as false if the provider expects a multipart response body
requestUserInfo	Boolean	If true the provider will make an additional call to the userinfo_endpoint to retrieve information. In most circumstances this is not needed as the data is in the id_token
responsetype	String	Space delimited list of responses requested. Any of: code token id_token none Default: "id_token token"
scopes	String	Space delimited scopes to request from the provider Default: "openid"
shouldUseSingleSignOut	Boolean	Default: true Whether or not logging out should terminate the sessions of all applications involved. If false logging out of the iCM powered site will not log the user out of, eg their Azure account
tokenSigningCertFilePath	String (File path)	Default: null Optional path to a PEM encoded .cer file containing the certificate to use. Certificates should be stored in the ${APISERVER}/data/auth directory, eg ${APISERVER}/data/auth/adfs-providername/adfs-token-signing.cer
tokenSigningKey	String	A key to use instead of a certificate

User Profile Data

We request the following information about a user. The properties are automatically mapped to the Authentication Worker's UserProfile class. These properties are then mapped to actual fields in a site user's profile, following the mappings set up in the userProfileToObjectFieldMapping property of the Worker Configuration Properties.

Property	Mapped To	Comments
sub	UNIQUEID	The unique subject identifier for the user at the issuer
name	PREFERREDNAME	Full name
given_name	FORENAMES	First name
family_name	SURNAME	Last name
email	EMAIL	The user's preferred email address

See the Linking Providers, Account and Profile Management article for information about how profiles and email addresses are updated.

Example

This example shows three different providers, all using the OpenID type. The first connects to the API Server's own OAuth worker (a premium service).

{ "providerName": "icmOIDC", "providerDisplayName": "icm OpenID Connect", "type": "openid", "userPrefix": "ICMOIDC_", "params": { "checkConsentToStoreData": false, "failIfConsentNotGiven": true, "clientId": "...", "secret": "...", "discoveryEndpointUrl": "https://demosite.gossinteractive.com/apiserver/oauth/http/.well-known/openid-configuration" } }, { "providerName": "googleOID", "providerDisplayName": "google OpenID Connect", "type": "openid", "userPrefix": "GOID_", "params": { "checkConsentToStoreData": false, "failIfConsentNotGiven": true, "clientId": "123...456-idj...i0.apps.googleusercontent.com", "secret": "wmX.....-.....KiQ", "discoveryEndpointUrl": "https://accounts.google.com/.well-known/openid-configuration" } }, { "providerName": "azureOID", "providerDisplayName": "azure OpenID Connect", "type": "openid", "userPrefix": "AOID_", "params": { "checkConsentToStoreData": false, "failIfConsentNotGiven": true, "clientId": "7f0...-...-...-...7de", "secret": "Zjgq...IKME=", "discoveryEndpointUrl": "https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration" } }

Last modified on October 30, 2024

This website uses cookies

Parameters

User Profile Data

Example

Was this page useful?