Product Selector

Fusion 5.9
    Fusion 5.9

    Configure OpenID Connect Authentication

    Configuration

    Use the Realms API to configure this realm type:

    curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST http://<fusion-url>:6764/api/realm-configs -d @./realm-config.json

    Below is a sample configuration:

      {
        "realmType": "oidc",
        "name": "{your_oidcName}",
        "enabled": true,
        "roleNames": [
            "admin"
         ],
        "config": {
          "autoCreateUsers": true,
          "groups": {
            "roleMapping": [
              [
                "role_user",
                "admin"
              ]
            ]
          },
          "code": {
            "clientSecret": "{your_clientSecret}",
            "redirectUri": "{your_redirectUri}",
            "authorizationUri": "{your_authorizationUri}",
            "tokenUri": "{your_tokenUri}"
          },
          "clientId": "{your_clientId}",
          "jwkSetUri": "{your_jwkSetUri}",
          "userIdAttribute": "email",
          "scope": [
            "openid",
            "email",
            "profile"
          ]
        }
      },

    Required fields

    Field Description Example

    name

    Name of the OIDC realm.

    oidc.

    clientSecret

    A secret value shared between the application and the authentication server.

    N/A

    redirectUri

    The URI to which the user will be redirected to after logging in.

    http://{fusion-url}:6764/admin

    authorizationUri

    The authorization server URI.

    https://${yourOktaDomain}/oauth2/default/v1/authorize

    tokenUri

    The URI to get access token from.

    https://${yourOktaDomain}/oauth2/default/v1/token

    clientId

    A unique value which identifies the client.

    N/A

    jwkSetUri

    The URL of the authorization server’s JSON Web Key Set (JWKS).

    https://${yourOktaDomain}/oauth2/default/v1/keys

    Google authentication

    For authenticating with Google, use Google’s OpenID Configuration to retrieve the required values for authorizationUri, tokenUri, jwkSetUri, and issuer.

    Okta authentication

    OpenID Connect authentication with Okta involves mapping Okta groups to Fusion roles. The Okta group information can be retrieved from Okta’s admin view:

    1. Navigate to API > Authorization Server

    2. Select the server you will configure for mapping

    3. In the Scope menu, add the authentication groups

    4. In the Claims menu, add new claim groups with ID token and set regexp to .*, which will expose all groups