Modify single sign-on for OpenID pages

You can customize the IBM® Security Verify single sign-on (SSO) for OpenID pages for your business. Verify uses OpenID Connect for SSO to allow applications to authenticate the identity of the users.

For more information, see Configuring OpenID Connect single sign-on in the custom application and OpenID Connect Dynamic Client Registration.

To update the SSO for OpenID pages, download the compressed theme file. Edit the pages as needed and then upload the updated themes file back to your tenant. For more information, see Updating a theme.

Text changes can be made to the pages by using HTML markup. The HTML files also contain macros. Macros are characters between the @ symbol where the data is rendered at run time. Do not change the macros in the files.

The IBM Security Verify SSO for OpenID pages are located in the templates\authentication\oidc\ directory within the themes compressed file.

The following SSO for OpenID pages are available for customization:

Modify consent page

The consent page that is displayed to the user during SSO for Openl.ID authentication to request user consent.

The consent page is located in the templates\authentication\oidc\consent\default\user_consent.html file.

The following labels are available on this page. To update the text on these labels, see Customizing labels.
  • $PRIVACY_CONSENT_TEXT_WELCOME$
  • $PRIVACY_CONSENT_TEXT_HEADER$
  • $PRIVACY_CONSENT_TEXT_LOGIN$
  • $PRIVACY_CONSENT_TEXT_LOGOUT$
  • $PRIVACY_CONSENT_TEXT_SUBHEADER$
  • $OIDC_TITLE_CONSENT$
  • $OIDC_BUTTON_PERMIT$
  • $OIDC_BUTTON_DENY$

The macros for this page are shown in the following table.

Table 1. Macro definitions
Macro Value that replaces the macro
@CHECKBOX_OPTION_REPEAT@ Whether the checkbox need to be checked or disabled and the action event.
@CHECKBOX_STYLE_REPEAT@ The style to be applied to the checkbox. This is used to show or hide the checkbox.
@CLAIM@ Requested claim.
@CLAIM_LOCALES@ Requested claim locales.
@CLIENT_ID@ The client Id.
@CLIENT_TYPE@ The client type.
@CONSENT_FORM_VERIFIER@ Consent form verifier.
@DISPLAY@ Requested display.
@FULLNAME@ Authenticated user full name.
@JSON_DATA@ Data of purpose-driven scopes.
@MAX_AGE@ Requested maximum age.
@OAUTH_AUTHORIZE_URI@ The form post target url.
@OAUTH_CLIENT_COMPANY_NAME@ The client (application) name.
@OAUTH_CLIENT_NAME@ The client (application) name.
@OAUTH_OTHER_PARAM_REPEAT@ Other requested parameter name.
@OAUTH_OTHER_PARAM_VALUE_REPEAT@ Other requested parameter value.
@OAUTH_TOKEN_ENTITLEMENT_DESC_REPEAT@ Description of entitlement to be consented.
@OAUTH_TOKEN_ENTITLEMENT_REPEAT@ Entitlement to be consented.
@OAUTH_TOKEN_ENTITLEMENT_PNAME_REPEAT@ Parameter name of the API access entitlement to be consented.
@OAUTH_TOKEN_ENTITLEMENT_PSTATE_REPEAT@ Parameter name of the state of the API access entitlement to be consented.
@OAUTH_TOKEN_ENTITLEMENT_STATE_REPEAT@ Current state of the consented entitlement.
@OAUTH_TOKEN_SCOPE_PNAME_REPEAT@ Parameter name of the scope to be consented.
@OAUTH_TOKEN_SCOPE_PSTATE_REPEAT@ Parameter name of the state of the scope to be consented.
@OAUTH_TOKEN_SCOPE_REPEAT@ Scope to be consented.
@OAUTH_TOKEN_SCOPE_STATE_REPEAT@ Current state of the consented scope.
@OAUTH_TOKEN_SCOPE_DESC_REPEAT@ Description of scope to be consented.
@PAGE_FOOTER@ The HTML that contains the footer of the page. This code can be modified by customizing the footer.html common template.
@PAGE_HEADER@ The HTML that contains the header of the page. This code can be modified by customizing the header.html common template.
@PREFERNAME@ Authenticated user preferred name.
@PRIVACY_SCOPE_ACCESSTYPE_REPEAT@ The privacy access type to be consented.
@PRIVACY_SCOPE_ATTR_REPEAT@ The attribute to be consented.
@PRIVACY_SCOPE_ATTRVALUE_REPEAT@ The attribute value to be consented.
@PRIVACY_SCOPE_DESC_REPEAT@ Description of the privacy scope to be consented.
@PRIVACY_SCOPE_DESC_ALT_REPEAT@ Custom description of the privacy scope to be consented.
@PRIVACY_SCOPE_PNAME_REPEAT@ Parameter name of the privacy scope to be consented.
@PRIVACY_SCOPE_PSTATE_REPEAT@ Parameter name of the state of the privacy purpose to be consented.
@PRIVACY_SCOPE_PURPOSE_REPEAT@ The privacy purpose to be consented.
@PRIVACY_SCOPE_REPEAT@ Privacy scope to be consented.
@PRIVACY_SCOPE_REQUIRED_REPEAT@ Whether this privacy scope needs to be consented.
@PRIVACY_SCOPE_RSLV_DESC_REPEAT@ Full description of privacy scope to be consented.
@PRIVACY_SCOPE_STATE_REPEAT@ Value of the state of the privacy scope to be consented.
@PRIVACY_SCOPE_TERMSOFUSE_REPEAT@ The terms of use URI of the EULA.
@REALMNAME@ Authenticated user realm name.
@REDIRECT_URI@ Requested redirect URI.
@RESPONSE_TYPE@ Requested response type.
@STATE@ Requested state.
@THEME_ID@ The ID of the registered template theme.
@UI_LOCALES@ Requested UI locales.
@USERNAME@ The user login Id.
Modify device flow pages

The following pages are displayed to the user when the device flow field is selected as a grant type in the SSO for OpenID provider configuration.

The device flow pages are located in the templates\authentication\oidc\device_flow\default directory.

The device flow pages are:

Modify user authorize denied page

The page that is displayed when SSO for OpenID authentication is denied. Update the user_authorize_denied.html file to modify the page.

The following labels are available on the adaptive access verification page. To update the text on these labels, see Customizing labels.
  • $OIDC_TITLE_USERAUTH_RESULT$
  • $OIDC_TEXT_USERAUTH_COMPLETE$
  • $OIDC_TEXT_USERAUTH_DENIED$
  • $OIDC_BUTTON_ENTER_ANOTHER$

The macros for this page are shown in the following table.

Table 2. Macro definitions
Macro Value that replaces the macro
@ACTION@ The form post target URL to return to the user authorize endpoint.
@PAGE_FOOTER@ The HTML that contains the footer of the page. This code can be modified by customizing the footer.html common template.
@PAGE_HEADER@ The HTML that contains the header of the page. This code can be modified by customizing the header.html common template.
@THEME_ID@ The ID of the registered template theme.
@OAUTH_CLIENT_NAME@ The client (application) name.
@OAUTH_CODE@ The user code for this OIDC device flow.
Modify user authorize error page

The page that is displayed when an SSO for OpenID authentication occurs. Update the user_authorize_error.html file to modify the page.

The following labels are available on the adaptive access verification page. To update the text on these labels, see Customizing labels.
  • $OIDC_TITLE_USERAUTH_RESULT$
  • $OIDC_TEXT_USERAUTH_ERROR$
  • $OIDC_BUTTON_ENTER_ANOTHER$

The macros for this page are shown in the following table.

Table 3. Macro definitions
Macro Value that replaces the macro
@ACTION@ The form post target URL to return to the user authorize endpoint.
@ERROR_CODE@ Error code.
@ERROR_DESCRIPTION@ Error description.
@OAUTH_CODE@ The user code for this OIDC device flow.
@PAGE_FOOTER@ The HTML that contains the footer of the page. This code can be modified by customizing the footer.html common template.
@PAGE_HEADER@ The HTML that contains the header of the page. This code can be modified by customizing the header.html common template.
@THEME_ID@ The ID of the registered template theme.
Modify user authorize input page

The page that is displayed during SSO for OpenID authentication for user input. Update the user_authorize_input.html file to modify the page.

The following labels are available on the adaptive access verification page. To update the text on these labels, see Customizing labels.
  • $OIDC_TITLE_USERAUTH$
  • $OIDC_TEXT_USERAUTH_ENTER$
  • $OIDC_TEXT_USERAUTH_CODE$
  • $OIDC_BUTTON_SUBMIT$

The macros for this page are shown in the following table.

Table 4. Macro definitions
Macro Value that replaces the macro
@ACTION@ The action that is taken.
@PAGE_FOOTER@ The HTML that contains the footer of the page. This code can be modified by customizing the footer.html common template.
@PAGE_HEADER@ The HTML that contains the header of the page. This code can be modified by customizing the header.html common template.
@THEME_ID@ The ID of the registered template theme.
Modify user authorize permitted page

This page is displayed when SSO for OpenID authentication is successful. Update the user_authorize_permitted.html file to modify the page.

The following labels are available on the adaptive access verification page. To update the text on these labels, see Customizing labels.
  • $OIDC_TITLE_USERAUTH_RESULT$
  • $OIDC_TEXT_USERAUTH_COMPLETE$
  • $OIDC_TEXT_USERAUTH_PERMITTED$
  • $OIDC_BUTTON_ENTER_ANOTHER$

The macros for this page are shown in the following table.

Table 5. Macro definitions
Macro Value that replaces the macro
@ACTION@ The form post target URL to return to the user authorize endpoint.
@OAUTH_CLIENT_NAME@ The client (application) name.
@OAUTH_CODE@ The user code for this OIDC device flow.
@OAUTH_TOKEN_ENTITLEMENT_DESC_REPEAT@ Description of the entitlements if available.
@OAUTH_TOKEN_ENTITLEMENT_REPEAT@ Entitlements that were consented.
@OAUTH_TOKEN_SCOPE_DESC_REPEAT@ Description of the scopes if available.
@OAUTH_TOKEN_SCOPE_REPEAT@ Scopes that were consented.
@PAGE_FOOTER@ The HTML that contains the footer of the page. This code can be modified by customizing the footer.html common template.
@PAGE_HEADER@ The HTML that contains the header of the page. This code can be modified by customizing the header.html common template.
@THEME_ID@ The ID of the registered template theme.
Modify generic error page

The generic error page that is displayed to the user when an SSO for OpenID authentication error occurs.

The generic error page is located in the templates\authentication\oidc\error\default\oidc_generic_error.html file.

The following labels are available on this page. To update the text on these labels, see Customizing labels.
  • $GENERIC_ERROR_TITLE$
  • $GENERIC_ERROR_HEADER$

The macros for this page are shown in the following table.

Table 6. Macro definitions
Macro Value that replaces the macro
@ERROR_CODE@ The error code.
@ERROR_DESCRIPTION@ The error description.
@PAGE_FOOTER@ The HTML that contains the footer of the page. This code can be modified by customizing the footer.html common template.
@PAGE_HEADER@ The HTML that contains the header of the page. This code can be modified by customizing the header.html common template.
@RESTART_AUTH@ The URL to trigger a new authorization request and force re-authentication.
@RESUME_AUTH@ The URL to resume the authorization request.
@THEME_ID@ The ID of the registered template theme.

To change the page header, footer, and style on the SSO OpenID pages, see Create common branding.