Identity provider configuration parameters

Edit online

If you want to manage users with an OIDC/OAuth identity provider, the operator can set up the necessary configuration elements. You specify the details of your identity provider in the custom resource YAML.

Table 1. Shared configuration parameters for identity providers: open_id_connect_providers
Parameter name Description Example values Required
open_id_connect_providers.provider_name Set a name for referring to the identity provider. This name is used in the redirect URL.

The value you specify becomes the realm name for your environment.

Note: If you plan to use this realm as part of an integration with an application that is hosted on a traditional WebSphere Application Server instance, you must provide a value for this parameter that matches the realm name for the application in that WebSphere Application Server instance.

To determine the realm name for your existing application, in the WebSphere Application Server admin console, go to Security > Global Security, and under User account repository, check the value for Realm name.

 (string) No
open_id_connect_providers.display_name Set a display name for the log in button in Navigator. Single Sign On No
open_id_connect_providers.client_oidc_secret.es Enter the secret name that you created for your External share credentials. (string) No
open_id_connect_providers.client_oidc_secret.nav Enter the secret name that you created for your Navigator credentials. (string) No
open_id_connect_providers.client_oidc_secret.cpe Enter the secret name that you created for your Content Platform Engine credentials. (string) No
open_id_connect_providers.client_oidc_secret.graphql Enter the secret name that you created for your GraphQL credentials. (string) No
open_id_connect_providers.issuer_identifier   (string) No
open_id_connect_providers.response_type Specifies the response requested from the provider, either an authorization code or implicit flow tokens.
code
Authorization code
id_token
ID token
id_token token
ID token and access token
token
Access token
  • code
  • id_token
  • id_token_token
  • token
 No
open_id_connect_providers.scope OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. openid email profile No
open_id_connect_providers.map_identity_to_registry_user Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. true or false No
open_id_connect_providers.authn_session_disabled An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. (true or false) No
open_id_connect_providers.inbound_propagation Controls the operation of the token inbound propagation of the OpenID relying party.
none
Do not support inbound token propagation
required
Require inbound token propagation
supported
Support inbound token propagation
  • none
  • required
  • supported
 No
open_id_connect_providers.https_required Require SSL communication between the OpenID relying party and provider service. (true or false) No
open_id_connect_providers.validation_method The method of validation on the token inbound propagation.
introspect
Validate inbound tokens using token introspection
userinfo
Validate inbound tokens using the userinfo endpoint
  • introspect
  • userinfo
 No
open_id_connect_providers.disable_ltpa_cookie Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. (true or false) No
open_id_connect_providers.signature_algorithm Specifies the signature algorithm that will be used to verify the signature of the ID token.
HS256
Use the HS256 signature algorithm to sign and verify tokens
RS256
Use the RS256 signature algorithm to sign and verify tokens
none
Tokens are not required to be signed
  • HS256
  • RS256
  • none
 No
open_id_connect_providers.user_identifier Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. (string) No
open_id_connect_providers.unique_user_identifier Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. (string) No
open_id_connect_providers.user_identity_to_create_subject Specifies a user identity in the ID token used to create the user subject. (string) No
open_id_connect_providers.discovery_endpoint_url (For Google IdP) Specifies a discovery endpoint URL for an OpenID Connect provider. (string) No
open_id_connect_providers.authorization_endpoint_url Specifies an Authorization endpoint URL. (string) No
open_id_connect_providers.token_endpoint_url Specifies a token endpoint URL. (string) No
open_id_connect_providers.validation_endpoint_url The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. (string) No
open_id_connect_providers.trust_alias_name Key alias name to locate public key for signature validation with asymmetric algorithm. (string) No
open_id_connect_providers.disables_iss_checking Require the issuer claim to be absent when validating the json response for inbound token propagation. (true or false) No
open_id_connect_providers.jwk_client_oidc_secret.es Specifies the client id and password for External Share to include in the basic authentication scheme of the JWK request. (string) No
open_id_connect_providers.jwk_client_oidc_secret.nav Specifies the client id and password for Navigator to include in the basic authentication scheme of the JWK request. (string) No
open_id_connect_providers.jwk_client_oidc_secret.cpe Specifies the client id and password for Content Platform Engine to include in the basic authentication scheme of the JWK request. (string) No
open_id_connect_providers.jwk_client_oidc_secret.graphql Specifies the client id and password for GraphQL to include in the basic authentication scheme of the JWK request. (string) No
open_id_connect_providers.token_reuse Specifies whether JSON web tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier that is used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token. (true or false) No
open_id_connect_providers.oidc_ud_param Use this parameter to include additional user defined parameters for your identity provider. You can use this section to define key value pairs separated by the delimeter `:`.

If you want to change the default delimeter, add `DELIM=<NEW_DELIMETER>` in front of your key value pair, for example, ‘DELIM=;myKey;myValue'. In this example, the new delimeter is `;` and the key value pair is set to `myKey;myValue` instead of `myKey:myValue`.

For IBMVerify, add the following user defined parameters:

  • introspectEndpointUrl : The URL of the introspect endpoint of the OAuth provider. It is mandatory when the OIDC flow is used.

  • revokeEndpointUrl : The URL of the revoke endpoint of the OAuth provider. It is mandatory when the OIDC flow is used.

 (string) No