Creating and managing OpenID Connect (OIDC) identity providers
Learn how to create and manage external OpenID Connect (OIDC) identity providers.
IBM RPA on premises supports external identity providers that follow the OpenID Connect (OIDC) standard. Some steps may vary depending on the chosen identity provider.
Before you begin
- IBM RPA on premises environment.
- User with Platform administrator role. See the Checking user permissions topic to learn how to check your user permissions.
- Some identity providers do not accept public IP addresses in their API services. For some providers, your server might require a valid Fully Qualified Domain Name (FQDN).
Procedure
- Configure the external identity provider
- Create the identity provider on IBM RPA Control Center
- Result
- What to do next
Configure the identity provider
- Choose an OpenID Connect (OIDC) provider. Select a provider that aligns with your requirements and sign up for an account.
- Set up the provider by creating a new OIDC application or client. This process varies depending on the provider, but typically involves providing basic information about your server API, such as
https://192.158.1.38:7790
, where192.158.1.38
is the server IP and7790
is the port that is used by the IBM RPA's API. Also, most OIDC providers require a redirect URL as part of the authentication flow, such ashttps://<ip_or_host>:<api_port>/oidc-callback
. Make sure that the provided redirect URL matches the one configured in your application and is allowed by the OIDC provider. - Once you have configured the OIDC application or client in your chosen provider, you receive the
Client ID
andClient Secret
of your application as well as important information about the endpoints that are required for integration. The specific endpoints includeAuthorization Endpoint
,Token Endpoint
,User Info Endpoint
, and the OIDC provider configuration(Discovery) Endpoint
.
Create the identity provider
- Log in to IBM RPA Control Center.
- On the left side menu, click Platform settings.
- Click the Identity Provider tab, then Create Identity Provider.
- In the Client ID field, enter your Client ID.
- In the Client Secret field, enter your Client secret.
- Do one of the following:
- If you know your identity provider Discovery endpoint, select Discovery endpoint, enter your Discovery endpoint in the Discovery endpoint field, and click Next. The Discovery endpoint retrieves the necessary endpoints and automatically fills up the required Manual Configuration fields. Continue on step 13.
- If you don't know your identity provider Discovery endpoint, click Manual configuration.
- In the Authorization endpoint field, enter your Authorization endpoint, such as
https://oidc.com/auth
. - In the Token endpoint field, enter your Token endpoint, such as
https://oidc.com/token
. - In the Revoke endpoint field, enter your Revoke endpoint, such as
https://oidc.com/revoke
. - In the UserInfo endpoint field, enter your UserInfo endpoint, such as
https://oidc.com/info
. - Optional: in the Logout endpoint field, enter your Logout endpoint, such as
https://oidc.com/logout
. - Click Next.
- In the User identifier claim field, enter your User identifier claim, such as
uniqueSecurityName
. - In the User email claim field, enter your User email claim, such as
email
. - In the User name claim field, enter your User name claim, such as
name
. - Click Next.
- Review the summary of the data that you entered, and click Create.
Result
As result, you can view a notification pop up stating that the identity provider was successfully created. You can also find the identity provider listed in the collection of identity providers in the Identity provider tab. To make further changes, click the vertical ellipsis button ⋮ of the identity provider then Edit or Delete.
If the creation process fails, a notification pops up stating that the process failed. In this case, review the entered data and retry to create the identity provider.
What to do next
After you create the identity provider, create a new tenant and assign the custom identity provider to it. For more information, see the Managing Tenants topic.