General settings for an OpenID Connect identity provider
Access Management uses the following settings to define identity providers that use the OpenID Connect authentication protocol:
- Key
-
A unique identifier for the IdP. The key is case sensitive and not editable once you save the new identity provider.
Optionally, you can include the key together with the user name from the identity provider to form a name that is specific to this provider. This may be useful when supporting multiple providers where user names could be duplicated. For more information, refer to the description of Separator.
- Name
-
A name for the IdP. This name will appear on the user sign-in screen to represent the IdP as an option to authentication. The name must be unique within Access Management.
- Description
-
Text that describes the IdP and its use. This description is visible only in Access Management.
- Icon URL
-
The URL of an icon that represents the IdP.
This icon will appear along with the IdP's name on the user sign-in screen as well as in the Access Management user interface. If you do not provide an icon, Access Management will use a generic IdP icon.
- Provider type
- The type of IdP, which in this case must be OpenID Connect.
- Redirect URL
-
The URL that the external IdP will use as the destination for all users following successful user authentication.
Access Management automatically generates the Redirect URL after you create and save a new IdP. In the external IdP, you must add this URL to the list of redirect URLs for the application you have registered for Access Management.
- Post-logout redirect URL
-
The URL that the external IdP will use as the destination for all users following user logout from the application.
Access Management automatically generates the Post-logout redirect URL after you create and save a new IdP. In the external IdP, you must add this URL to the logout redirect URLs for the application you have registered for Access Management.
- Client ID
-
A unique ID assigned to Access Management by the external IdP.
The client ID gets created and assigned when you register the Access Management application in the external IdP.
- Authority
-
The URL representing the authority and the directory location from which Access Management can request tokens.
- Client secret
-
A secret string that Access Management uses to authenticate itself when requesting a token.
If the Response Type is set to code, a client secret is required.
You can get or generate a client secret for Access Management when you register the application in the external IdP.
- End session endpoint
-
The URL of the external IdP's end- session (logout) endpoint.
This setting is optional. You need to set an end-session endpoint only if it is not exposed in the OpenID Connect configuration (located at .well-known/openid-configuration).
In addition, some identity providers may have end-session endpoint that is not compliant with the OpenID Connect (OIDC) protocol. If this is the case for your IdP, you can add one of the following placeholders to the end of the URL:
{signout-oidc}— This placeholder gets replaced with a bare URL to thesignout-oidcendpoint. The following example illustrates use of this placeholder:https://your_domain/v2/logout?client_id=your_client_id&returnTo={signout-oidc}{signout-oidc-with-state}— This placeholder gets replaced with a URL to thesignout-oidcendpoint that includes a state parameter. The following example illustrates use of this placeholder:https://your_domain/v2/logout?client_id=your_client_id&returnTo={signout-oidc-with-state}
- Response type
-
Indicates the type of response that Access Management will request from the external IdP, which determines the type of flow the IdP will use for authentication. The following are the accepted values:
- code — The recommended response type. When set to code, you must also define a Client secret.
- id_token — An alternative response type that you can use if the IdP does not support code.
- Send ID token hint on logout
-
Indicates whether Access Management will send an
id_token_hintto the external IdP when a user is logging out.The default value is No (false). Change to Yes if you want Access Management to send the hint.
- Separator
-
A character that Access Management includes as part of the user name.
User names in Access Management are in the following format:
KEY<SEPARATOR>USERNAMEWhere:
KEYis the unique identifier assigned to the external IdP (when it is created).<SEPARATOR>is the character defined in this property, which is typically a colon (:) or other special character.USERNAMEis the name of the user as it comes directly from the external IdP.
Example:
azure:testuser - Username Claim
-
The claim in external IdP that Access Management will use as the User Subject when creating a user instead of the user name.
- Full name claim
-
The claim in external IdP that Access Management will use as Name when creating a user.