Managing OpenID Connect configuration

Edit online

You can use OpenID Connect to access the Administration Console and the IVIG Service Center. The OpenID Connect provider must be able to authenticate the user and provide claims to a relying party about the authentication event and the user.

Before you begin

IBM® Verify Identity Governance supports OpenID Connect providers that meet the following requirements:
  • The provider is fully OIDC-compliant.
  • The user registry is managed by IBM Verify Identity Governance.
  • The relying party, IBM Verify Identity Governance, is reachable from the provider.
Ensure that you configured an OpenID Connect provider such as Active Directory Federation Services (ADFS) or IBM Security Verify. You need the following information to perform OpenID operations.
Table 1. General configuration
Parameter Description
Provider name The service that provides your OpenID connection.
Configuration Select one of these two options:
Manual configuration
You are asked to enter all the required data
Discovery configuration
The endpoints, scope, and signature algorithm are located automatically and you must enter only part of the required data.
Discovery URL The URL from where the discovery OpenID configuration can be read. It is required if you selected Discovery configuration.
Authorization URL The initial endpoint that is contacted by the relying party to begin a flow.

This parameter is entered automatically if you selected Discovery configuration.
Token URL The endpoint that is used to exchange an authorization code for a token.

This parameter is entered automatically if you selected Discovery configuration.
JWK URL The JSON web key endpoint that is used for signature verification. It is optional.

This parameter is entered automatically if you selected Discovery configuration.
Certificate Alias The label of the certificate that was uploaded to the trust store. Select an appropriate label.
Scope The scopes that are associated with access tokens determine what resources are available when they are used to access OpenID connect protected endpoints. The following example is a non-normative example of scope: scope=openid profile email phone.

This parameter is entered automatically if you selected Discovery configuration.
Issuer identifier The verifiable identifier for an issuer. An issuer identifier is a case-sensitive URL that uses the HTTP scheme. It contains scheme, host, and optionally, port number and path components. It cannot contain query or fragment components.

This parameter is entered automatically if you selected Discovery configuration.
RedirectToRPHostandPort Specifies a redirect OpenID relying party host and port number.
If there is a proxy in front of the relying party, you can override the host name and port with this URL. The format is:
https://reverseproxyhost:reverseproxyport/

This parameter must be entered manually and is required only if the relying party is behind reverse proxy and reverse proxy is not capable of filtering redirect URL.
Signature algorithm The algorithm that is used to sign the ID token that is issued by a provider. The default value is HS256.
User Identifier Sets the attribute to a claim name that is used by the vendor’s ID token that represents a user's unique identifier.
User Realm / Domain Specifies the realm name or domain name of the identity provider where the user is created.
Client ID A publicly exposed string that is used by the service API to identify the application. It is also used to build authorization.
Client secret Secret is used to authenticate the identity of the application to the service API when the application requests to access a user account. It must be kept private between the application and the API.
Interfaces The interface that uses OpenID Connect as the authentication mechanism. If you do not select an option, the default option is a local registry authentication mechanism.
Logoff URL The OpenID Connection provider logout URL. For example, the ADFS logout url is 

https://<hostname>/adfs/oauth2/logout

By providing a logout URL after logging out from the selected Interface, IBM Verify Identity Governance cleans all OpenID Connect provider tokens. If you do not provide an OpenID Connect provider logout url, logout only cleans IBM Verify Identity Governance application tokens.

Apart from the General Configuration parameters, if you want to update other properties and values, use the Advanced tab.

Note: If the property name contains <id> then replace it with value 1.
Attention:
  • The OpenID provider certificate must be added to the virtual appliance truststore. You can do this task from the virtual appliance certificate page and adding the certificate to the signers. See Managing the SSL certificate configuration.
  • If OpenID Connect Configuration is configured, and if you change ISC Context root from the Server Configuration panel, then you must reconfigure OpenID Connect Configuration.

Procedure

  1. From the top-level menu of the Appliance Dashboard, click Configure > Manage External Entities > OpenID Connect Configuration.
    The OpenID Connect Configuration page is displayed.
  2. Click the tab for the operation that you want to perform.
    Table 2. OpenID Connect operations
    Operation Steps
    Use New to configure an OpenId provider.
    1. Click New.
    2. Provide the information based on the type of configuration that you want to perform, either Discovery configuration or Manual configuration.
    3. Click the Service Center check box.
    4. Click Save Configuration.
    Use Edit to change the provider information.
    1. Select the provider for which you want to change the information.
    2. Click Edit.
    3. Change the information in the available fields.
    4. Click Save Configuration.
    Use Delete to remove an OpenID provider configuration.
    1. Select the provider configuration that you want to remove.
    2. Click Delete.
    3. Click Yes on the confirmation message.
    Refresh Updates the values in the grid.
    Note: You must register a redirect URI at the OpenID provider. After a successful authentication at the OpenID provider, the client is redirected to this URL. It has a specific format.
    https://hostname:9082/oidcclient/{Provider-Name}

    For clusters, add member node redirect URL as comma separated. Use the same Provider-Name for both primary and member nodes.

    Example:

    https://hostname:9082/oidcclient/{Provider-Name},https://hostname:9082/oidcclient/{Provider-Name}
    Where
    • hostname is either the application interface IP or the application interface host name where IBM Verify Identity Governance product is running.
    • Provider-Name is the attribute value provider name that you are going to add at the time of registering OpenID connect configuration in the virtual appliance.
    Note: When OpenID Connect Configuration is enabled do not modify the following parameters:
    • enrole.ui.disableLoginPage in ui.properties.
    • ui.isc.oidcEnabled in ui.properties.
    • ui.disableLoginPage in UIconfig.properties.