OpenID Connect (OIDC) configuration

You can configure environments with your choice of an alternative authentication provider from a list of approved providers that are compliant with OpenID Connect (OIDC). You are encouraged to configure your authentication credentials for every environment. Applying the configuration redeploys the environment with your latest customization. The latest saved OIDC configuration is used when changes are applied.

Users with Organization Administrator and Developer Production and Non-Production roles can modify the OIDC configuration.

Before you begin

If you are a new user, ensure to complete the following prerequisites.

Add a new firewall policy in Self Service to enable communication with OIDC server.
Import the OIDC server certificate as an outbound certificate by using the steps explained in Adding outbound certificates.
Note:
- If you are already using IBMid and want to migrate for using a new OIDC provider (Microsoft Active Directory Federation Services (ADFS) or Okta), contact IBM support.
- If you are using AzureAD, setting up firewall policies is not required, as in the Next-generation it is handled with certificates.

Procedure

Access Self Service with your IBMid.
From the Self Service menu, click Environments.
From the list of environments, select an environment.
Go to the OIDC configuration tab.
Use the toggle to enable or disable configuring an alternative provider.
Based on your roles, view or modify the configuration.
To modify, click the edit icon and select OIDC provider.
Enter the values for the Client ID, Client secondary ID, Client secret, Provider discovery endpoint URL, and the Provider logout URL. You must retrieve the values for these fields from your OIDC provider. The fields you must set values for are displayed on the screen based on the OIDC provider you choose.
Save the changes and click Apply changes.

Applying the OIDC configuration redeploys the environment with your latest customization. View the status in the OIDC deployment processes table.