API Protection OpenID Connect Provider properties

The local management interface (LMI) page OpenID Connect and API Protection has a section that prompts for settings for OpenID Connect Provider. Refer to the following list of properties to determine the appropriate value for each property.

For configuration task instructions, see Creating an API protection definition.

Issuer Identifier

This entry identifies the issuing entity. It must be a valid URL with the protocol prefix https://. For example, https://ibm.com or https://accounts.google.com. It must not include fragment or query portions. The Issuer Identifier is defined by the OIDC specification. See http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier

Point of Contact Prefix

The Point of Contact Prefix is used to correctly populate the URLs on the metadata page. It must include the host, port, and path information of the reverse proxy junction to the runtime. For example: https://isam.myidp.ibm.com:443/mga/ . Note that is not a field from the OIDC standard.

Metadata URI

A location where you can view your metadata. Metadata is useful to discover the capabilities of an OP. The metadata includes all other URIs. This field is read-only.

id_token Lifetime

Time in seconds for which the id_token is valid. The value is the difference between the values in the iat and exp claims of the issued JSON Web Token (JWT). You can use a pre-token mapping rule to overload this value at runtime.

Default: 3600 seconds.

Signing Algorithm

The algorithm that is used to sign the JWT. This setting is the alg claim in the JWT. Use the menu to select the appropriate value. You can use a pre-token mapping rule to overload this value at runtime.

Default: RS256.

Key Database for Signing

The Key database that is used to source the private key for signing the ES/RS signature algorithms. You can use a pre-token mapping rule to overload this value at runtime.

Default: rt_profile_keys

Certificate Label for Signing

The label of the key in the selected keystore that is used as the private key for ES/RS signing. You can use a pre-token mapping rule to overload this value at runtime.

Default: server

Encrypt ID token

Boolean value to indicate whether this JWT must be encrypted. Select the check box to encrypt the token and configure encryption settings. You can use a pre-token mapping rule to overload this value at runtime.

Key Agreement Algorithm

The encryption algorithm that is used for JWT key agreement. This setting is the alg claim in the encrypted JWT. You can use a pre-token mapping rule to overload this value at runtime.

Default: RSA-OAEP-256

Encryption Algorithm

The encryption algorithm that is used for JWT payload encryption. This setting is the enc claim in the encrypted JWT. You can use a pre-token mapping rule to overload this value.

Default: A128CBC-HS256

Attribute Mapping

You can use the Attribute Mapping section to define attributes that can be used to customize claims from attribute sources. Attribute sources can be: Fixed, Credential, or LDAP.

When you select Enable OpenID Connect, the New and Delete icons are activated for attribute mapping. To create, select New and enter Attribute Name. Select Attribute Source type.

To remove an existing Attribute Name, select the attribute and click Delete.

If you do not select Enable OpenID Connect, you cannot create new attribute mappings.

Enable client registration

Check this check box to allow users to register dynamic clients.

Issue Client Secret

If dynamic clients are enabled, check this check box if you want them to be confidential clients.