Configuring an OIDC Enterprise identity provider

Edit online

You can use any identity provider that supports the OIDC protocol as an OIDC Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to IBM® Verify.

Procedure

Select Authentication > Identity providers.
Select OIDC Enterprise.
On the General page, provide the following information.
Name

Provide a recognizable name for your identity provider.

Realm and issuer
Provide the URL to the identity provider. Example,
```
https://accounts.OIDC-IDP.com
```
It is the realm that is used for cloud directory and if a well-known endpoint is not provided, it also serves as the issuer for the OIDC flow.
ID

The ID is created after you save the configuration.

Enabled

Select this checkbox to use this identity provider for signing in.
Select Next.
On the To identity provider page, copy the redirect url.
You provide this url to the identity provider when you register your application for single sign-on.
Select Next.
On the From identity provider page, provide the following information.
1. Optional: Provide a friendly name that is used in place of the identity provider ID that is displayed in the Verify login URL.
2. Provide the Client ID and Client secret that you received when you registered your application with the identity provider.
3. Optional: Add or Remove scopes to control how the application is used.
  
  Note: Select Enter for Windows™ or Return for Mac-OS after each added scope to your Administration console.
4. Provide information about the endpoints that you received when you registered your application.
  Well-known endpoint
  
  Use this attribute to configure your OIDC client with the discovery document. As an example, https://myco.com.
  
  If you do not use the well-know endpoint, you must supply the following information.
  - Authorization endpoint
  - Token endpoint
  - User information endpoint
5. Optional: If your identity provider supports it, you can enable PKCE support and provide the JWKS URI.
  Add a JWKS URI if one is not provided with the identity providers well-known configuration.
6. Select the authentication method.
  - Client secret basic
  - Client secret Post
  - Client secret JWT - You also need to select the signing algorithm for encryption.
  - Private key JWT - You also need to select the signing algorithm for encryption and select the signing certificate.
7. Optional: If they are available, you can forward the parameters for login hint, prompt, and max age to the identity provider during a single sign-on flow.
Select Next.
Optional: Select Just-in-time provisioning.
This option creates and updates the user account in the primary Identity provider realm that is associated with the SAML identity.
Optional: Specify an attribute that identifies users from the Identity provider user registry from the Unique user identifier menu.
If you select Enable identity linking for this identity provider, you must provide the UUID.
Optional: Select a transformation value to transform the Unique user identifier value or leave the default value as None.
Optional: Select Enable identity linking for this identity provider.
1. Select the unique identifier that you want to use for the accounts from the Unique User Identifier link.
  
  Note: The UUID can be anything in the OIDC claims object that uniquely identifies the user.
2. Set the UUID by typing the value in the External ID attribute field.
  The default value is sub.
3. Select a transformation value to transform the External ID attribute value or leave the default value as None.
Select Next.
Optional: On the Attribute-mapping page, map more attributes from the OIDC provider to Verify attributes.
1. Select Add attribute mapping.
2. Select an OIDC attribute from the menu.
  If the OIDC provider has other, nonstandard OIDC supported attributes, you can type the value in the Select an attribute field.
3. Select a Verify attribute from the menu.
4. Select how the attribute is used.
5. Repeat the process for each attribute that you want to map.
Optional: Select one of the following Group membership source to specify the source for the user access permissions groups.
- Cloud Directory - User access permissions are derived from the user groups in the Cloud Directory.
- Cloud Directory and Identity Source - User access permissions are derived from the user groups in the Cloud Directory and the Identity provider token, which includes groupIds claim.
- Identity Source - User access permissions are derived from the Identity provider token, which includes the groupIds claim.
  Note: If the Identity provider token does not contain the groupIds claim, then you do not get any group membership permissions.
- Custom rule. If you select Custom rule, enter a custom rule in the rule editor, then click OK to save. User access permissions are derived based on the custom rule.
Select Next.
Optional: If you enabled public preview CI-108233, select whether to enable user invitations.
Invitations are created and sent by using POST /v1.0/usc/user/invitation APIs. See Inviting users. Select the Enable user invitations check box to invite others to register as new users. You can also select a user profile for the user to enter more data as part of accepting the invitation. See Managing user profiles.
Click Done.
Optional: Edit the OIDC identity provider.
1. Select Authentication > Identity providers.
2. Select the identity provider from the list of Sources.
3. Make your changes.
  You cannot change the ID or the Redirect URL.
4. Select Save changes.
Optional: Delete the OIDC identity provider.
1. Select Authentication > Identity providers.
2. Select the identity provider from the list of Sources.
3. Select the Delete icon.
4. Select Delete to confirm that you want to delete the identity provider.