Creating and managing OpenID Connect (OIDC) identity providers

Learn how to create and manage external OpenID Connect (OIDC) identity providers.

IBM RPA on premises supports external identity providers that follow the OpenID Connect (OIDC) standard. Some steps may vary depending on the chosen identity provider.

Before you begin

  • IBM RPA on premises environment.
  • User with Platform administrator role. See the Checking user permissions topic to learn how to check your user permissions.
  • Some identity providers do not accept public IP addresses in their API services. For some providers, your server might require a valid Fully Qualified Domain Name (FQDN).

Procedure

Important:Step 1 of the following procedure is generic. Refer to your identity providers' documentation page for complete details on how to configure it.
  1. Configure the external identity provider
  2. Create the identity provider on IBM RPA Control Center
  3. Result
  4. What to do next

Configure the identity provider

  1. Choose an OpenID Connect (OIDC) provider. Select a provider that aligns with your requirements and sign up for an account.
  2. Set up the provider by creating a new OIDC application or client. This process varies depending on the provider, but typically involves providing basic information about your server API, such as https://192.158.1.38:7790, where 192.158.1.38 is the server IP and 7790 is the port that is used by the IBM RPA's API. Also, most OIDC providers require a redirect URL as part of the authentication flow, such as https://<ip_or_host>:<api_port>/oidc-callback. Make sure that the provided redirect URL matches the one configured in your application and is allowed by the OIDC provider.
  3. Once you have configured the OIDC application or client in your chosen provider, you receive the Client ID and Client Secret of your application as well as important information about the endpoints that are required for integration. The specific endpoints include Authorization Endpoint, Token Endpoint, User Info Endpoint, and the OIDC provider configuration (Discovery) Endpoint.
Remember:Replace the URLs with the appropriate URL.

Create the identity provider

  1. Log in to IBM RPA Control Center.
  2. On the left side menu, click Platform settings.
  3. Click the Identity Provider tab, then Create Identity Provider.
  4. In the Client ID field, enter your Client ID.
  5. In the Client Secret field, enter your Client secret.
  6. Do one of the following:
    1. If you know your identity provider Discovery endpoint, select Discovery endpoint, enter your Discovery endpoint in the Discovery endpoint field, and click Next. The Discovery endpoint retrieves the necessary endpoints and automatically fills up the required Manual Configuration fields. Continue on step 13.
    2. If you don't know your identity provider Discovery endpoint, click Manual configuration.
  7. In the Authorization endpoint field, enter your Authorization endpoint, such as https://oidc.com/auth.
  8. In the Token endpoint field, enter your Token endpoint, such as https://oidc.com/token.
  9. In the Revoke endpoint field, enter your Revoke endpoint, such as https://oidc.com/revoke.
  10. In the UserInfo endpoint field, enter your UserInfo endpoint, such as https://oidc.com/info.
  11. Optional: in the Logout endpoint field, enter your Logout endpoint, such as https://oidc.com/logout.
  12. Click Next.
  13. In the User identifier claim field, enter your User identifier claim, such as uniqueSecurityName.
  14. In the User email claim field, enter your User email claim, such as email.
  15. In the User name claim field, enter your User name claim, such as name.
  16. Click Next.
  17. Review the summary of the data that you entered, and click Create.

Result

As result, you can view a notification pop up stating that the identity provider was successfully created. You can also find the identity provider listed in the collection of identity providers in the Identity provider tab. To make further changes, click the vertical ellipsis button ⋮ of the identity provider then Edit or Delete.

If the creation process fails, a notification pops up stating that the process failed. In this case, review the entered data and retry to create the identity provider.

What to do next

After you create the identity provider, create a new tenant and assign the custom identity provider to it. For more information, see the Managing Tenants topic.