Configure OpenID Connect authentication
OpenID Connect is an identity authorization layer which supplements the OAuth 2.0 protocol.
Configuration
Use the Realms API to configure this realm type:
curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST http://<managed-fusion-url>:6764/api/realm-configs -d @./realm-config.json
Below is a sample configuration:
{
"realmType": "oidc",
"name": "{your_oidcName}",
"enabled": true,
"roleNames": [
"admin"
],
"config": {
"autoCreateUsers": true,
"groups": {
"roleMapping": [
[
"role_user",
"admin"
]
]
},
"code": {
"clientSecret": "{your_clientSecret}",
"redirectUri": "{your_redirectUri}",
"authorizationUri": "{your_authorizationUri}",
"tokenUri": "{your_tokenUri}"
},
"clientId": "{your_clientId}",
"jwkSetUri": "{your_jwkSetUri}",
"userIdAttribute": "email",
"scope": [
"openid",
"email",
"profile"
]
}
},
Required fields
Field | Description | Example |
---|---|---|
|
Name of the OIDC realm. |
|
|
A secret value shared between the application and the authentication server. |
N/A |
|
The URI that displays after the user signs in. |
|
|
The authorization server URI. |
|
|
The URI where the access token is obtained. |
|
|
A unique value which identifies the client. |
N/A |
|
The URL of the authorization server’s JSON Web Key Set (JWKS). |
|
Google authentication
For authenticating with Google, use Google’s OpenID Configuration to retrieve the required values for authorizationUri
, tokenUri
, jwkSetUri
, and issuer
.
Okta authentication
OpenID Connect authentication with Okta involves mapping Okta groups to Managed Fusion roles. The Okta group information can be retrieved from Okta’s admin view:
-
Navigate to API > Authorization Server.
-
Select the server to configure for mapping.
-
In the Scope menu, add the authentication groups.
-
In the Claims menu, add new claim groups with ID token and set regexp to
.*
, which exposes all groups.