Configuring an OIDC Exchange Provider - Identity and Access Management Services - 4.4 - 4.4 - Ready - Other - external

Identity and Access Management Services

Platform
Other
Product
Identity and Access Management Services
Release
4.4
License

This type of provider uses OIDC-Exchange to authenticate users and log them in.

Note:

Detailed instructions on how to configure an OIDC-Exchange environment to correctly authenticate and return valid tokens for use with the Hyland IdP server are beyond the scope of this documentation. Detailed instructions for configuring your provider are available from the developer of the software being used.

To configure the Hyland IdP server to use OIDC-Exchange:

  1. Launch the Hyland IdP Administration client and log in (see Accessing the Hyland IdP Administration Client).
    Upon successfully logging in, the tenant, provider, client connection, and API resource information is displayed. In a wide display, the tenant information is in the left pane and the providers, client connections, and API resources configured for that tenant are listed in the right pane. In a narrow display, the tenant information is at the top of the page and the provider, client connection, and API resource information is below it.
  2. Click the Provider tab to view the providers currently configured for the tenant. The number of providers configured is displayed in parentheses in the tab heading.
    Provider tab with the number of providers in parentheses
  3. If this is a new provider, click Add New at the upper right of the providers list.

    If you are configuring an existing provider, click its name in the list of providers.

    The Provider configuration page is displayed. It is divided into the Basic Settings and Protocol areas. In a wide display, the Basic Settings area is on the left. In a narrow display, the Basic Settings area is at the top of the page.

  4. Under Protocol, select OIDC-Exchange from the Type drop-down list. The specific settings for OIDC-Exchange providers are displayed.
  5. Under Basic Settings, configure the following options.

    Option

    Description

    Name

    A unique name for the provider. This value is required and cannot contain any slashes (/ or \).

    User Attribute Mapping

    These settings are used to synchronize user attribute information.

    The schema definitions of the provider responses that contain the account declarations of the user logging in. The following attributes can be synchronized.

    • UserId: The unique user identifier received from the external provider. This can be configured to use the username if the username does not change over time. This attribute is required.

    • Username: The URI of the claim type in the provider response that contains the user name of the user logging in. This attribute is required.

    • Email: The URI of the claim type in the provider response that contains the email address of the user logging in.

    • Real Name: The URI of the claim type in the provider response that contains the real name of the user logging in.

    • Group: The URI of the claim type in the provider response that contains the group membership of the user logging in.

    Strip domain from username

    Select this option to remove the domain from the user name before it is passed for authentication.

    This setting controls whether to automatically strip the domain from user names that are passed as either domain\username or username@domain. This is useful when providers use a full domain and user name but authenticating system only uses the user name.

    Enable User Provisioning

    Select this option to synchronize the user attributes defined in the User Attribute Mapping section when the user logs in.

    Note:

    User provisioning requires a SCIM Endpoint to be defined for the tenant. See Configuring the Tenant.

    User Provisioning Create Enabled

    Select this option to allow creating a new user in the tenant resource if the user logging in is not found.

    If this option is not selected and the user logging in is not found, that user is not logged in and an exception is returned.

    Note:

    User provisioning requires a SCIM Endpoint to be defined for the tenant. See Configuring the Tenant.

    User Provisioning Update Enabled

    Select this option to allow updating an existing user in the tenant resource if the user logging in is found.

    If this option is not selected, the incoming user information from the tenant is ignored and no updates are made to user information.

    Note:

    User provisioning requires a SCIM Endpoint to be defined for the tenant. See Configuring the Tenant.

  6. Update the values of the OIDC-Exchange protocol settings to match your environment.

    Option

    Description

    Issuer

    Enter the URL for the issuer of incoming ID tokens. This is the expected value of the iss claim within an incoming token.

    This value will be used to look up the specific provider for this tenant. The client submitting the ID token must also belong to the same tenant.

    Cache Duration in Seconds

    Enter the duration, in seconds, to retain the results of calls to locations in either the Issuer or JWKS URI setting.

    The default setting is 14400 seconds (4 hours).

    To prevent caching results, enter 0 (zero).

    JWKS URI

    Enter the URI for the endpoint to call for JSON Web Key Set (JWKS) signing data.

    JWKS Document

    Enter the allowed keys for the JWKS endpoint in JWKS format.

    Note:

    JWKS format is an internet standard. For more information, see the specifications published by the Internet Engineering Task Force (IETF).

    Note the following on how these settings are used to get signing keys to validate tokens:

    • You have the option to enter values for either JKWS URI or JWKS Document.

    • By default, the public keys used to validate the signature of the subject token are fetched from the JWKS URL in the Discovery Document published by the issuer.

  7. Optional. If you prefer not to use the JWKS URI provided in the Discovery Document, click Configure and then enter the values for either JKWS URI or JWKS Document as displayed in the image below.
    JWKS Setting with JWKS URI and JWKS Document options
  8. Click Save in the lower right corner of the page.
    Note:

    If you are configuring the Hyland IdP for use with an OnBase environment, you must also configure a default User Group in OnBase to assign new users to when accounts are created in OnBase from federated credentials.