OpenID Connect Account Provider
The Identity Hub supports identity providers that use OpenID Connect. To allow users to sign in with your OpenID Connect enabled identity provider:
- Set up and configure the app on the identity provider side (note down the clientid and client secret)
- Activate an OpenID Connect Account Provider (see Activate an Account Provider)
- Set the configuration parameters on the OpenID Connect Account Provider
The account provider will use PKCE by default.
Configure an OpenID Connect Account Provider
To configure an OpenID Connect Account Provider you have two options:
- Supply the url of the online well-known configuration (and jwks) of the identity provider via a URL or file.
- Configure the parameters manually.
Supply the configuration of the identity provider
- When creating the account provider: Set a Name.
- Set the clientid and client secret.
- In OpenID Connect Discovery URL type the URL where the well-known configuration of the identity provider is available or select a file in OpenID Connect Discovery file.
- Optionally set the Service Provider Certificates.
- Click Save.
Identity Provider configuration
| Parameter | Description |
|---|---|
| OpenID Connect Discovery URL | The URL of the metadata of the OpenID Connect Identity Provider. If provided this URL will be queried for configuration during Account Provider activation and also each time the Account Provider is edited. |
| OpenID Connect Discovery File | The file with the well-known configuration of the Identity Provider. If provided, it will be used to configure the Account Provider. |
| OpenID Connect Jwks File | The file with the Json Webkeyset information |
Minimum configuration parameters for the OpenID Connect Identity Provider
The following parameters are required as a minimum either via the online well-known configuration or manual configuration
- The issuer of the Identity Provider
- The authorization endpoint (authorization_endpoint) of the Identity Provider
- The token endpoint (token_endpoint) of the Identity Provider
- The JWK set url (jwks_uri) of the Identity Provider
- The response types supported (response_types_supported) of the Identity Provider
- The subject types supported (subject_types_supported) by the Identity Provider
- The JWS signing algorithms supported for the ID token (id_token_signing_alg_values_supported)
For more information on the parameters see the OpenID Connect specification
Service Provider configuration
Claim Mappings
By default no incoming claims are mapped except the sub claim to identify the account.
To map other information about the account it is necessary to create pass-through mappings that map the incoming information to claims/claimtypes as used by The Identity Hub. Note that the incoming claims correspond to the property names as defined in the OpenID Connect protocol.
A minimal pass-through mapping could be:
To pass-through any group to role mapping use
| Source claim (optional) | Source claim value (optional) | Destination claim | Destination claim value (optional) |
|---|---|---|---|
| groups | http://schemas.microsoft.com/ws/2008/06/identity/claims/role |
To only consider specific roles use:
See the Claim Mappings page for a more detailed explanation.
Related
Amazon Account Provider
Activate an Account Provider
Built-in Username and Password Account Provider
Custom Account Providers
Facebook Account Provider
GitHub Account Provider
Google Account Provider
Instagram Account Provider
LinkedIn Account Provider
Microsoft Account Provider
myID.be Account Provider
Office 365 Account Provider
PayPal Account Provider
SAML-P Account Provider
StackExchange Account Provider
Twitter Account Provider
WS-Federation Account Provider