Content Platform Engine RelyingParty Interceptor settings
Use the following sample settings as a guide for the Interceptor class settings for your Content Platform Engine application server instance.
- provider_1 - Example UMS Identity Provider
- provider_2 - Example Google Sign-In Identity Provider
- provider_3 - Example IBM Id Identity Provider
Name | Value |
provider_1.authorizeEndpointUrl | https://server_name:port/oidc/endpoint/ums/authorize |
provider_1.tokenEndpointUrl | https://server_name:port/oidc/endpoint/ums/token |
provider_1.jwkEndpointUrl | https://server_name:port/oidc/endpoint/ums/jwk |
provider_1.signatureAlgorithm | RS256 |
provider_1.issuerIdentifier | https://server_name/oidc/endpoint/ums |
provider_1.clientId | exShareUms |
provider_1.clientSecret | Genius1 |
provider_1.identifier | ExShareUms |
provider_1.useRealm | For multiple IDPs: ExShareUms For a single IDP: ldap_realm Set to Realm name under . |
provider_1.filter | For multiple IDPs: auth-token-realm%=ExShareUms The value after auth-token-realm%= must match the realm name that is set in IBM Content Navigator for this same provider by using the provider_n.useRealm property. For example, in the Navigator Relying Party Interceptor settings: provider_1.useRealm = ExShareUms For a single IDP: Authorization%=Bearer All requests with Bearer token are authenticated using this OAuth/OIDC configuration. |
provider_1.userIdentifier | sub |
provider_1.useJwtFromRequest | OAuth: no OIDC: ifPresent |
provider_1.scope | openid email |
provider_1.uniqueUserIdentifier | sub |
provider_1.introspectEndpointUrl | https://server_name:port/oidc/endpoint/ums/introspect |
provider_1.allowImplicitClientFlow | true |
provider_1.signVerifyAlias | ums |
provider_1.responseType | id_token token |
provider_1.verifyIssuerInIat | true |
provider_1.audiences | exShareUms |
provider_2.authorizeEndpointUrl | https://accounts.google.com/o/oauth2/v2/auth |
provider_2.tokenEndpointUrl | https://oauth2.googleapis.com/token |
provider_2.jwkEndpointUrl | https://www.googleapis.com/oauth2/v3/certs |
provider_2.signatureAlgorithm | RS256 |
provider_2.issuerIdentifier | https://accounts.google.com |
provider_2.clientId | 530122881973-fuotgltih4t5e3335im9aeca2uql7q52.apps.googleusercontent.com |
provider_2.clientSecret | YPcdr1FifclLuF2Dyu164WWD |
provider_2.identifier | ExShareGID |
provider_2.useRealm | For multiple IDPs: ExShareGID For a single IDP: ldap_realm Set to Realm name under . |
provider_2.filter | For multiple IDPs: auth-token-realm%=ExShareGID The value after auth-token-realm%= must match the realm name that is set in IBM Content Navigator for this same provider by using the provider_n.useRealm property. For example, in the Navigator Relying Party Interceptor settings: provider_1.useRealm = ExShareGID For a single IDP: Authorization%=Bearer All requests with Bearer token are authenticated using this OAuth/OIDC configuration. |
provider_2.userIdentifier | |
provider_2.useJwtFromRequest | OIDC: ifPresent Note: Google Sign-In must use OIDC. OAuth is not supported. |
provider_2.scope | openid email |
provider_2.uniqueUserIdentifier | |
provider_2.introspectEndpointUrl | https://oauth2.googleapis.com/token |
provider_2.allowImplicitClientFlow | true |
provider_2.verifyIssuerInIat | true |
provider_2.audiences | 530122881973-fuotgltih4t5e3335im9aeca2uql7q52.apps.googleusercontent.com |
provider_3.authorizeEndpointUrl | https://prepiam.toronto.ca.ibm.com/idaas/oidc/endpoint/default/authorize |
provider_3.tokenEndpointUrl | https://prepiam.toronto.ca.ibm.com/idaas/oidc/endpoint/default/token |
provider_3.signVerifyAlias | prepiam_toronto_ca_ibm_com |
provider_3.signatureAlgorithm | RS256 |
provider_3.issuerIdentifier | https://prepiam.toronto.ca.ibm.com |
provider_3.clientId | exShareIbmId |
provider_3.clientSecret | MTQ0YjMwYmItNDVjMS00 |
provider_3.identifier | ExShareIbmId |
provider_3.useRealm | For multiple IDPs: ExShareIbmId For a single IDP: ldap_realm Set to Realm name under . |
provider_3.filter | For multiple IDPs: auth-token-realm%=ExShareIbmId The value after auth-token-realm%= must match the realm name that is set in IBM Content Navigator for this same provider by using the provider_n.useRealm property. For example, in the Navigator Relying Party Interceptor settings: provider_1.useRealm = ExShareIbmId For a single IDP: Authorization%=Bearer All requests with Bearer token are authenticated using this OAuth/OIDC configuration. |
provider_3.userIdentifier | sub |
provider_3.useJwtFromRequest | OAuth: no OIDC: ifPresent |
provider_3.scope | openid email |
provider_3.uniqueUserIdentifier | sub |
provider_3.introspectEndpointUrl | https://prepiam.toronto.ca.ibm.com/idaas/oidc/endpoint/default/introspect |
provider_3.allowImplicitClientFlow | true |
provider_3.verifyIssuerInIat | OAuth: false OIDC: true |
provider_3.audiences | exShareIbmId |