Identity provider configuration parameters
If you want to manage users with an OIDC/OAuth identity provider, the operator can set up the necessary configuration elements. You specify the details of your identity provider in the custom resource YAML.
| Parameter name | Description | Example values | Required |
|---|---|---|---|
| authn_session_disabled | An authentication session cookie will not be created for inbound propagation. The client is expected to send a valid OAuth token for every request. | (true or false) | No |
| authorization_endpoint_url | Specifies an Authorization endpoint URL. | (string) | No |
| client_oidc_secret.cpe | Enter the secret name that you created for your Content Platform Engine credentials. | (string) | No |
| client_oidc_secret.nav | Enter the secret name that you created for your Navigator credentials. | (string) | No |
| disable_ltpa_cookie | Do not create an LTPA Token during processing of the OAuth token. Create a cookie of the specific Service Provider instead. | (true or false) | No |
| disables_iss_checking | Require the issuer claim to be absent when validating the json response for inbound token propagation. | (true or false) | No |
| discovery_endpoint_url | (For Google IdP) Specifies a discovery endpoint URL for an OpenID Connect provider. | (string) | No |
| display_name | Set a display name for the log in button in Navigator. | Single Sign On | No |
| https_required | Require SSL communication between the OpenID relying party and provider service. | (true or false) | No |
| inbound_propagation | Controls the operation of the token inbound propagation of the OpenID relying party.
|
|
No |
| issuer_identifier | (string) | No | |
| jwk_client_oidc_secret.cpe | Specifies the client id and password for Content Platform Engine to include in the basic authentication scheme of the JWK request. | (string) | No |
| jwk_client_oidc_secret.nav | Specifies the client id and password for Navigator to include in the basic authentication scheme of the JWK request. | (string) | No |
| map_identity_to_registry_user | Specifies whether to map the identity to a registry user. If this is set to false, then the user registry is not used to create the user subject. | true or false | No |
| oidc_ud_param | Use this parameter to include additional user defined parameters for your identity provider.
You can use this section to define key value pairs separated by the delimeter `:`. If you want to change the default delimeter, add `DELIM=<NEW_DELIMETER>` in front of your key value pair, for example, ‘DELIM=;myKey;myValue'. In this example, the new delimeter is `;` and the key value pair is set to `myKey;myValue` instead of `myKey:myValue`. For IBMVerify, add the following user
defined parameters:
|
(string) | No |
| provider_name | Set a name for referring to the identity provider. This name is used in the redirect
URL. The value you specify becomes the realm name for your environment. Note: If you plan to
use this realm as part of an integration with an application that is hosted on a traditional
WebSphere Application Server instance, you must provide a value for this parameter that matches the
realm name for the application in that WebSphere Application Server instance.
To determine the realm name for your existing application, in the WebSphere Application Server admin console, go to , and under User account repository, check the value for Realm name. |
(string) | No |
| response_type | Specifies the response requested from the provider, either an authorization code or implicit
flow tokens.
|
|
No |
| scope | OpenID Connect scope (as detailed in the OpenID Connect specification) that is allowed for the provider. | openid email profile | No |
| signature_algorithm | Specifies the signature algorithm that will be used to verify the signature of the ID token.
|
|
No |
| token_endpoint_url | Specifies a token endpoint URL. | (string) | No |
| token_reuse | Specifies whether JSON web tokens can be reused. Tokens must contain a jti claim for this attribute to be effective. The jti claim is a token identifier that is used along with the iss claim to uniquely identify a token and associate it with a specific issuer. A request is rejected when this attribute is set to false and the request contains a JWT with a jti and iss value combination that has already been used within the lifetime of the token. | (true or false) | No |
| trust_alias_name | Key alias name to locate public key for signature validation with asymmetric algorithm. | (string) | No |
| unique_user_identifier | Specifies a JSON attribute in the ID token that is used as the unique user name as it applies to the WSCredential in the subject. | (string) | No |
| user_identifier | Specifies a JSON attribute in the ID token that is used as the user principal name in the subject. If no value is specified, the JSON attribute "sub" is used. | (string) | No |
| user_identity_to_create_subject | Specifies a user identity in the ID token used to create the user subject. | (string) | No |
| validation_endpoint_url | The endpoint URL for validating the token inbound propagation. The type of endpoint is decided by the validationMethod. | (string) | No |
| validation_method | The method of validation on the token inbound propagation.
|
|
No |