Create an OIDC provider

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator. For more information, see Accessing IBM Security Verify.

About this task

Procedure

  1. Select Integrations > OIDC providers.
  2. Click Create OIDC provider.
    The purpose is preset for identity proofing. For information about Identity proofing, see Managing identity proofing.
  3. Click Next..
  4. In the Name and Contact section in the OIDC providers page, enter the following values.
    1. Enter the OIDC provider name for your new OIDC provider.
    2. Optional: Enter the Contact name.
    3. Optional: Enter the Contact email
  5. Click Next..
  6. In the Connection details section in the OIDC providers page, enter the following values.
    1. Enter the Client ID.
    2. Enter the Client secret.
    3. Enter the Issuer.
    4. Enter the Metadata URL.
    5. Optional: Provide a well-known URL.
    6. Enter the Authorization URL.
    7. Enter the Token URL.
    8. Optional: Enter the JWKS URI.
    9. Optional: Enter the Scopes.
      Note: Opined must be selected when choosing other scopes.
    10. Select the code challenge method, either plain or S256.
    11. Optional: Provide a JWS algorithm.
    12. Authorization code is preset as the Grant type.
    13. Click the checkboxes of your preferred Responds types.
    14. Select the Token endpoint authentication method.
    15. Select the Authorize HTTP method.
    16. Select the Response mode
  7. Optional: Click the checkbox to disable the Use PKCE.
  8. Click Create.
    The OIDC provider opens in edit mode.
  9. Make any changes to the OIDC provider fields .
  10. In the Outgoing transform section of the Resources section, compute the attribute value by using a custom rule.
    The following are examples of supported attributes in outgoing transforms.
    Authorization
    
        request
            Map<String, Object>
        claims
            Map<String, List<String>>
        login_hint
            String
        custom_parameters
            Map<String, List<String>>
        custom_header_parameters
            Map<String, Object>
        subject
            String
    
    Current supported parameters are returned in a JSON
    
        - context: output := {}
        ....   
        - return: jsonToString(context.output)
    Token
    
        client_assertion
            Map<String, Object>
        custom_parameters
            Map<String, List<String>>
        custom_header_parameters
            Map<String, Object>
        subject
            String
    
    Current supported parameters are returned in a JSON
    
        - context: output := {}
        ....
        - return: jsonToString(context.output)
    
    
  11. In the Incoming transform section of the Resources page, compute the attribute value by using a custom rule.
    Authorizaiton
    • Transforms the data that gets sent in response to the authorization request.
    Token
    • Transforms the response from the token request.
    • Pulls data from the ID token and inserts it into the user context.
    • Current supported parameters.
    
        decision
            String
    
    Current supported parameters be returned in a JSON
    
        - context: output := {}
        ....
        - return: jsonToString(context.output)
    
    
  12. Click Create.