Skip to content

Configure OIDC Authentication Source

To facilitate enterprise user authentication login, the IDaaS platform supports configuring the OIDC protocol as an authentication source. Users can authenticate and log in to various application systems through the OIDC protocol, bringing enterprise users a simpler and more convenient login method and better user experience.

This guide explains the related operations for configuring an OIDC authentication source.

Prerequisites

  • Permissions for the third-party identity provider (IDP) application system, and the IDP supports OIDC authentication.
  • Administrator permissions for the IDaaS Enterprise Center.

Procedure

Third-Party OIDC Authentication Platform Configuration

  1. On the third-party platform, create an application with OIDC as the access method, and complete the application's relevant information. For details, refer to the documentation of each platform.
  2. Grant users access to the newly created application.

Configure OIDC Authentication Source in IDaaS

  1. Log in to the IDaaS Enterprise Center, choose Authentication > Authentication Source Management from the top navigation bar, enter the OIDC authentication source page, and click Add Authentication Source.

    Steps

  2. Configure the OIDC authentication source parameters as prompted. Key parameters are described below.

    Steps

    ParameterDescription
    Public KeyObtain from the OIDC jwks_uri or provided by the authentication source administrator, matching the public key format.
    When the public key format is JWK URL, the public key is https://{Okta domain}/oauth2/v1/keys.
    When the public key format is JSON public key, the public key is the value in https://{Okta domain}/oauth2/v1/keys.
    Flow TypeWhen the authentication method is Initiate Authentication Proactively, this configuration is available. Select the corresponding flow type according to the application configuration, such as authorization code mode, selectable from the dropdown.
    Response TypeOptional configuration, only available when the authentication method is Initiate Authentication Proactively. Default is code.
    ScopeAvailable when the authentication method is Initiate Authentication Proactively, corresponding to the scopes configuration on the OIDC authentication source side. Must include openid, such as openid email.
    Authorization URLAvailable when the authentication method is Initiate Authentication Proactively, corresponding to the authorization_endpoint value on the OIDC authentication source side.
    Client IDAvailable when the authentication method is Initiate Authentication Proactively, corresponding to the Client ID value on the OIDC authentication source side.
    AudienceAvailable when the authentication method is Authentication Source Initiates Authentication, this field parameter is included when obtaining configuration on the OIDC application side.
    Logout URLOptional configuration. The application's global logout address, obtained from the application side.
    Call AddressGenerated by the system by default. Corresponds to the application's Login redirect URIs parameter.
    Source Association AttributeThe unique attribute of the user on the OIDC authentication source side. Such as email.
    User Association AttributeThe mapping attribute for the OIDC authentication source to connect with IDaaS. Such as email, selectable from the dropdown.
    When User Not AssociatedWhen the user successfully logs in using the OIDC authentication source but is not associated with a system user, operations can be performed according to this setting, such as auto-create user, selectable from the dropdown.

    TIP

    When User Not Associated: When the source association attribute of the user information returned by the third-party platform does not match the associated user attribute in IDaaS, and no system user is associated, the optional configurations are as follows.

    • Fail: Set to Fail, meaning the user is not allowed to pass authentication.

    • Auto Create User: Set to Auto Create User. You can choose whether to update existing attributes, and click Add Mapping to map user attributes from the third-party platform to IDaaS user attributes based on mapping rules and associated attributes, and create the user so that the user can pass authentication.

      Attribute descriptions are as follows:

      • User Attribute Name: Select an IDaaS user attribute from the dropdown.
      • Mapping Type: Select authentication source attribute.
      • Authentication Source Attribute Name: Third-party platform user attribute.

BambooCloud IDaaS Open Platform