Configure OIDC Authentication Source
To facilitate enterprise user authentication login, the IDaaS platform supports configuring the OIDC protocol as an authentication source. Users can authenticate and log in to various application systems through the OIDC protocol, bringing enterprise users a simpler and more convenient login method and better user experience.
This guide explains the related operations for configuring an OIDC authentication source.
Prerequisites
- Permissions for the third-party identity provider (IDP) application system, and the IDP supports OIDC authentication.
- Administrator permissions for the IDaaS Enterprise Center.
Procedure
Third-Party OIDC Authentication Platform Configuration
- On the third-party platform, create an application with OIDC as the access method, and complete the application's relevant information. For details, refer to the documentation of each platform.
- Grant users access to the newly created application.
Configure OIDC Authentication Source in IDaaS
Log in to the IDaaS Enterprise Center, choose Authentication > Authentication Source Management from the top navigation bar, enter the OIDC authentication source page, and click Add Authentication Source.

Configure the OIDC authentication source parameters as prompted. Key parameters are described below.

Parameter Description Public Key Obtain from the OIDC jwks_urior provided by the authentication source administrator, matching the public key format.
When the public key format is JWK URL, the public key ishttps://{Okta domain}/oauth2/v1/keys.
When the public key format is JSON public key, the public key is thevalueinhttps://{Okta domain}/oauth2/v1/keys.Flow Type When the authentication method is Initiate Authentication Proactively, this configuration is available. Select the corresponding flow type according to the application configuration, such as authorization code mode, selectable from the dropdown. Response Type Optional configuration, only available when the authentication method is Initiate Authentication Proactively. Default is code.Scope Available when the authentication method is Initiate Authentication Proactively, corresponding to the scopes configuration on the OIDC authentication source side. Must include openid, such asopenid email.Authorization URL Available when the authentication method is Initiate Authentication Proactively, corresponding to the authorization_endpointvalue on the OIDC authentication source side.Client ID Available when the authentication method is Initiate Authentication Proactively, corresponding to the Client IDvalue on the OIDC authentication source side.Audience Available when the authentication method is Authentication Source Initiates Authentication, this field parameter is included when obtaining configuration on the OIDC application side. Logout URL Optional configuration. The application's global logout address, obtained from the application side. Call Address Generated by the system by default. Corresponds to the application's Login redirect URIsparameter.Source Association Attribute The unique attribute of the user on the OIDC authentication source side. Such as email.User Association Attribute The mapping attribute for the OIDC authentication source to connect with IDaaS. Such as email, selectable from the dropdown. When User Not Associated When the user successfully logs in using the OIDC authentication source but is not associated with a system user, operations can be performed according to this setting, such as auto-create user, selectable from the dropdown. TIP
When User Not Associated: When the source association attribute of the user information returned by the third-party platform does not match the associated user attribute in IDaaS, and no system user is associated, the optional configurations are as follows.
Fail: Set to Fail, meaning the user is not allowed to pass authentication.
Auto Create User: Set to Auto Create User. You can choose whether to update existing attributes, and click Add Mapping to map user attributes from the third-party platform to IDaaS user attributes based on mapping rules and associated attributes, and create the user so that the user can pass authentication.
Attribute descriptions are as follows:
- User Attribute Name: Select an IDaaS user attribute from the dropdown.
- Mapping Type: Select authentication source attribute.
- Authentication Source Attribute Name: Third-party platform user attribute.