Configuring an OIDC user registry in Cloud Manager
Configure a shared OIDC user registry for user onboarding and authentication when multi-factor authentication (MFA) is required.
You can create an OIDC user registry that is specific to a provider organization, or that is shared and available to all the provider organizations in your API Connect environment. An organization-specific OIDC user registry is used for onboarding and authenticating Developer Portal users, while a shared OIDC user registry can be used for onboarding and authenticating Cloud Manager, API Manager, and Developer Portal users.
This topic describes how to create a shared registry. For information on how to create an organization-specific registry, see Creating an OIDC user registry in API Manager.
API Connect provides two methods for creating an OIDC user registry in Cloud Manager, as described in the following sections:
Using the UI to configure an OIDC user registry
Use the Cloud Manager application's user interface to configure a shared OIDC user registry when multi-factor authentication (MFA) is required.
- In the Cloud Manager navigation pane, click Resources.
- Click User Registries.
- Click Create and select
OIDC User Registry. Important: Do not share user registries between the API Manager and the Developer Portal, or between Developer Portal sites when self-service onboarding is enabled or account deletions in any of the sites are expected. You should create separate user registries for them, even if the separate registries point to the same backend authentication provider (for example, an LDAP server). This separation enables the Developer Portal to maintain unique email addresses across the catalog, without API Manager needing the same requirement. It also avoids problems with users deleting their accounts from the Developer Portal that then affects their API Manager access.
- On the Create OIDC User Registry page,
use the fields in each of the following sections to configure the registry settings, and then click
Create.
Many of the registry settings are preconfigured to simplify the configuration steps.
- Provider Type
- Use the settings in Table 1 to define the provider type.
Table 1. Provider Type settings Field Description Provider Type OIDC provider. Select one of the following supported OIDC providers: - GitHub
- Slack
- X (formerly known as Twitter)
- Windows Live
- Standard OIDC (default value allows you to specify another provider)
Title Provide a descriptive name for display purposes. Name Automatically generated. This name is used in CLI commands to reference the registry. For details of the CLI commands for managing user registries, see the toolkit CLI reference documentation. Summary Provide a brief description of the new registry. Email required Select this option if an email address is required as part of the user onboarding process. If selected, the source identity provider must supply the email address as part of the authentication process during onboarding. Note: An email address is not required by default for onboarding to the Cloud Manager or the API Manager, but it is required for onboarding to the Developer Portal.Unique email address Select this option if email addresses must be unique within the user registry. Note: Every account in the Developer Portal, including across different user registries for the same site, must have a unique email address, including the site Admin account. - Provider Endpoint
- Automatically generated for most supported providers. In the Authorization Endpoint field, type the URL of the provider's authorization endpoint.
- Token Endpoint
- Fill in the settings as described in Table 2.
Table 2. Token Endpoint settings Field Description URL Preconfigured for most of the supported OIDC providers. Type the URL of the provider's token endpoint. TLS Select the TLS Client Profile for the token endpoint (OIDC must be configured to use TLS). Default is Default TLS Client Profile. - UserInfo Endpoint
- Fill in the settings as described in Table 3.
Table 3. UserInfo Endpoint settings Field Description URL Preconfigured for most of the supported OIDC providers. Type the URL of the provider's userinfo endpoint. For LinkedIn, the endpoint changed and now uses the following value:
If you previously configure the OIDC registry using the legacy LinkedIn OIDC protocol, you do not need to specify this endpoint.https://api.linkedin.com/v2/me
TLS Select the TLS Client Profile for the userinfo endpoint (OIDC must be configured to use TLS). Default is Default TLS Client Profile. - Email Endpoint
- Required for the legacy LinkedIn OIDC protocol.
Due to changes in LinkedIn, the configuration settings for the OIDC registry in API Connect also changed. If you are configuring a new OIDC registry for LinkedIn, you can leave the Email Endpoint field blank.
If you previously configured an OIDC registry for use with the legacy LinkedIn OIDC protocol, update your configuration by providing the Email endpoint settings as described in Table 4. The new setting is required for the legacy LinkedIn OIDC protocol.
Table 4. Email Endpoint settings Field Description URL For the legacy LinkedIn OIDC protocol, this field defaults to the following value:
You can override the setting by typing in a new value.https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
TLS Select the TLS Client Profile for the userinfo endpoint (OIDC must be configured to use TLS). Default is Default TLS Client Profile. - JWKS Endpoint
- Fill in the settings as described in Table 5.
Table 5. JWKS Endpoint settings Field Description URL Type the URL of the read-only endpoint that contains the public keys' information in JWKS format. TLS Select the TLS Client Profile for the userinfo endpoint (OIDC must be configured to use TLS). Default is Default TLS Client Profile. - Logout
- You can configure either of the following types of logout support, but not both:
- Logout redirect:
Allows you to specify what the user sees after logging out of API Connect; for example, you might want to "redirect" the user to the OIDC provider's logout endpoint, or to another address. When the user logs out of API Connect, the browser is redirected to the specified URL for further processing by the specified URL.
- RP-initiated logout:
Provides a more secure form according to the OpenID Connect RP-Initiated Logout 1.0 Profile. When the user logs out of API Connect, API Connect issues a POST request to the specified endpoint URL to clear the user's session. With this option, you can optionally provide an RP logout redirect endpoint URL as well.
Fill in the settings as described in Table 6.
Table 6. Logout options Field Description Logout redirect URL Optional. Provide a URL to redirect the browser when the user logs out of API Connect. If you use this option, do not enable the OIDC RP logout.
Enable OIDC RP logout Select this option to use the RP-initiated logout instead of the conventional logout redirect. If you use this option, do not provide a Logout redirect URL. With the RP-initiated logout, you can optionally specify an RP-logout redirect URL.
URL endpoint that the RP will issue a POST request Provide the URL to the endpoint where the POST request will be executed; for example, the authorization endpoint of the OpenID provider. TLS Select the TLS profile to use when sending the POST request to the OpenID provider endpoint. RP logout redirect endpoint URL Optional. Provide a URL where the OIDC provider can redirect after the logout operation. The URL functions as the post_logout_redirect_uri
, as described in the OpenID Connect RP-Initiated Logout 1.0 Profile.Include refresh_token in logout Optional. Allow the refresh_token to be included, in addition to the id_token_hint, per the OpenID Connect RP-Initiated Logout 1.0 Profile. - Logout redirect:
- Client Information
- Fill in the settings as described in Table 7.
Table 7. Client Information settings Field Description Client ID Provide the client ID of the application that is registered with the selected OIDC provider. Client Secret Provide the client secret of the application that is registered with the selected OIDC provider. This field is optional when you create an OIDC directory of type Standard and set the Client Authentication Method to Data encoded form body. If you are not using the Client Secret, ensure that mutual TLS is configured with the OIDC provider. To enable mutual TLS, create a TLS profile and include it in the OIDC user registry setup.
Response Type Preconfigured for most of the supported OIDC providers. Specify the data type of the response that will be received from the OIDC provider. Scopes Preconfigured for most of the supported OIDC providers. Specify the access scope for the OIDC provider. Client Authentication Method Preconfigured for most of the supported OIDC providers. Select the authentication method to be used with the OIDC provider. Options are: - HTTP Basic authentication schema
- Data encoded form body
- Additional Support
- Optional. Select the additional security parameters described in Table 8.
Table 8. Additional security options Security parameter Setting name for CLI Description NONCE nonce
Enable the NONCE extension to prevent compromised requests from being used again (replayed). Proof Key for Code Exchange (PKCE) pkce
Enable the PKCE extension to allow public clients to mitigate the threat of having the authorization code intercepted. - Advanced Features
- Optional. Select the advanced features described in Table 9.
Table 9. Advanced features Feature / UI Label Setting name for CLI Description Auto onboard auto_onboard
Allow users to executes calls to APIs without logging in first, provided they present a valid token issued by the OIDC provider. Note: Does not apply to consumer organizations.Always use the userinfo endpoint userinfo
Configures the OIDC user registry to always fetch user data from the userinfo endpoint, if populated. Use Portal as Endpoint for external OIDC provider traffic proxy_redirect
When authenticating users, redirect the external OIDC provider to communicate with the Developer Portal instead of API Manager. Return third-party access token proxy_access_token
Include the third-party OIDC access token in the response. Note: Enable this setting for debugging purposes only.This setting is not recommended for use in a production environment. When this setting is enabled, the token size will increase when a request is made to API Connect using the token. The larger token size might exceed the HTTP protocol limit, resulting in an ERR_HTTP2_PROTOCOL_ERROR or ERR_CONNECTION_CLOSED error.
You can avoid the size issue by additionally enabling Return third-party access_token and id_token as separate claims so that the third-party tokens are not added to the access_token that is issued API Connect.
Return third-party id_token proxy_id_token
Include the third-party OIDC id_token in the response. Note: Enable this setting for debugging purposes only.This setting is not recommended for use in a production environment. When this setting is enabled, the token size will increase when a request is made to API Connect using the token. The larger token size might exceed the HTTP protocol limit, resulting in an ERR_HTTP2_PROTOCOL_ERROR or ERR_CONNECTION_CLOSED error.
You can avoid the size issue by additionally enabling Return third-party access_token and id_token as separate claims so that the third-party tokens are not added to the access_token that is issued API Connect.
Return third-party access_token and id_token as separate claims proxied_token_as_separate_claim
Include the third-party OIDC tokens (the proxy_access_token
andproxy_id_token
) in the response as separate claims instead of adding them to the access_token issued by API Connect. To use this feature, you must enable at least one of the Return third-party access token and Return third-party id_token options.Separating the third-party tokens prevents them from affecting the size of the access_token issued by API Connect.
Token Relay token_relay
Allow access_token/refresh_token
to send in 302 redirect for logoutUserinfo POST post_userinfo
If supported by your OIDC provider, by using HTTP POST method when contacting userinfo endpoint. Note: Not all OIDC providers support POST. Ensure that your OIDC provider supports this before you enable the feature.Use IBM APIC token expiration setting from cloud override_provider_ttl
Override the OIDC provider's token expiration setting with the access token and refresh token expiration settings that are configured in API Connect. For information on configuring the access token and refresh token expiration settings in API Connect, see Configuring timeouts for access tokens and refresh tokens. Disable hash verification (CLI only) disable_hash_verification
Disable at_hash
,c_hash
- User Mapping
- Fill in the settings as described in Table 10.Note: The User Mapping fields are preconfigured for most of the supported OIDC providers to minimize potential errors; use care when changing the settings. For the Standard OIDC option, contact your OIDC provider to obtain the details of the fields.
Table 10. User mapping settings Field Description Username The name of the field in the response token that contains the user's user name. Note: The Username field must be unique for this OIDC registry, because it identifies the user in the system and cannot be changed.Email The name of the field in the response token that contains the user's email address. First name The name of the field in the response token that contains the user's given name. Last name The name of the field in the response token that contains the user's surname.
- Redirect URI
- The Redirect URI section lists the endpoints to which the OIDC authorization server will redirect the authorization code. There is one endpoint for each API Connect organization type: Cloud administration, Provider organization, and Consumer organization. The redirect endpoint is required when a user registers their application with the OIDC provider. For example, if this OIDC user registry is used by a provider organization, the user must register the provider organization's redirect endpoint with the OIDC provider. These read-only fields are provided for you to copy the endpoint values as required.
Enabling the OIDC user registry
Complete the following steps to enable the new user registry for Cloud Manager, API Designer, or both.
- On the navigation pane, click Settings.
- Click .
- Click Edit in the section that corresponds to the application for which you are enabling the new user registry.
- Select the new OIDC user registry.
- When you have finished enabling the registry, click Save.
Using the CLI to configure an OIDC user registry
Use the developer toolkit CLI to configure a shared OIDC user registry when multi-factor authentication (MFA) is required.
- An OIDC registry cannot be used to secure APIs on the gateway.
- If you are using an OIDC user registry for login, The Management server handles the interaction with the third-party OIDC provider. The management server is considered the application from the perspective of the third-party OIDC provider. Therefore, your OIDC redirect endpoint on the management server, which the third-party authorization server uses to send the token, must be accessible to the OIDC provider. To ensure login functions, you must allow access if your API Connect environment is secured behind a firewall. This is true for user login on both API Manager and Cloud Manager.
- If OIDC user registry is used for consumer login at the Developer Portal and Developer Portal is
in the DMZ, you can use the
proxy_redirect
property. This allows the Developer Portal to act as the endpoint for proxying communication between the OIDC provider and API Connect. - When you register your application with the third-party OIDC provider, you are required to supply the associated OIDC redirect URI, https://consumer.mycompany.com/consumer-api/oauth2/redirect for example. However, you cannot access this information until you create your OIDC user registry in API Connect. First, register your application without this information and then update it later, as detailed in the instructions on this page.
Logging in to the Management server
apic login --server mgmt_endpoint_url --username user_id --password password --realm admin/identity_provider
--realm
parameter by entering the following command to see a list of all available
identity providers (you do not need to be logged in to use this
command):apic identity-providers:list --scope admin --server mgmt_endpoint_url --fields title,realm
For example:apic identity-providers:list --scope admin --server myserver.com --fields title,realm
total_results: 2
results:
- title: Cloud Manager User Registry
realm: admin/default-idp-1
- title: Corporate LDAP user registry
realm: admin/corporate-ldap
The title
value should enable you to determine which
identity provider to use; you can then copy the corresponding --realm
parameter
directly from the displayed realm
value. For any identity providers that were
created by your administrator after API Connect was installed,
the names will have been determined at creation time. The default Cloud Manager Local User Registry
for login as a member of the cloud administration organization is
default-idp-1
.For full details of the apic login
command, see Logging in to a management
server.
Defining your OIDC registry configuration
title: registry_title
integration_url: oidc_integration_url
case_sensitive: case_sensitivity_setting
email_required: true_or_false
email_unique_if_exist: true_or_false
configuration:
client_id: 'app_client_id'
client_secret: 'my-client-secret'
provider_type: oidc_provider_type
where:- registry_title is your chosen descriptive title for the user registry.
- oidc_integration_url is the OIDC integration URL in your API Connect configuration.
You can determine the OIDC integration URL by using the following CLI
command:
apic integrations:list --server mgmt_endpoint_url --subcollection user-registry
- case_sensitivity_setting determines whether your user registry is
case-sensitive. Valid values are:
true
false
- Only set
case_sensitive
totrue
if the backend OIDC provider supports case-sensitivity. - Set
case_sensitive
tofalse
if the backend OIDC provider does not support case-sensitivity.
Note: After at least one user has been added to the registry, you cannot change this setting. - email_required determines whether an email address is required as part of the
user onboarding process. Valid values are:
true
false
true
, the source identity provider must supply the email address as part of the authentication process during onboarding.Note: An email address is not required by default for onboarding to the Cloud Manager or the API Manager, but it is required for onboarding to the Developer Portal. - email_unique_if_exist determines whether email addresses must be unique
within the user registry. Valid values are:
true
false
Note: Every account in the Developer Portal, including across different user registries for the same site, must have a unique email address, including the site Admin account. - app_client_id is the client ID of the application that is registered with the OIDC server, and must be in string format.
- my-client-secret is the client secret of the application that is registered with the OIDC server, and must be in string format.
- oidc_provider_type is the type of OIDC provider; specify one of the following
values:
facebook
github
google
linkedin
slack
twitter
windows_live
standard
Note:- Use the
twitter
provider type if your OIDC provider is X (formerly known as Twitter). - Use the
standard
provider type for any OIDC provider that is compliant with the OIDC standard.If the provider type isstandard
, you must include the following additional properties in theconfiguration
section of your YAML file:
where:authorization_endpoint: 'oidc_auth_endpoint' token_endpoint: endpoint: 'oidc_token_endpoint'
- oidc_auth_endpoint is the authorization endpoint on the OIDC server, and must be in string format.
- oidc_token_endpoint is the token endpoint on the OIDC server, and must be in string format.
- Use the
Default OIDC configurations
For each OIDC provider type, API Connect assumes a default configuration, but you can override the default configuration properties in your YAML file.
API Connect makes the best effort to update endpoints for the known OIDC user registry types. However the OIDC provider can change the endpoint at any time. It is the customer's responsibility to confirm that the endpoints provided by API Connect are supported by the OIDC provider and to update the OIDC configuration as needed.
The default configurations are as follows:
Creating your OIDC user registry
apic user-registries:create --server mgmt_endpoint_url --org admin oidc_config_file
where:- mgmt_endpoint_url is the platform API endpoint URL.
- organization_name is the value of the
name
property of your provider organization. - oidc_config_file is the name of the YAML file that defines the configuration of your OIDC user registry.
registry_name registry_url
By
default, the registry_name is derived from the title
property in
the configuration YAML file but you can override this by including a name
property
in the file. The registry_url is an internal URL that API Connect assigns to the
registry.apic user-registries:get --server mgmt_endpoint_url --org organization_name registry_name --output -
The
required oidc_redirect_uri
value is in the consumer:
section; for
example:consumer:
oidc_redirect_uri: https://consumer.mycompany.com/consumer-api/oauth2/redirect
Enabling your OIDC registry in a Catalog
For details of all the apic user-registries
and apic
configured-catalog-user-registries
commands, see the toolkit CLI reference documentation.
You can also complete the operations described in this topic by using the API Connect REST APIs; see the API Connect REST API documentation.