Configure OpenID Connect authentication
OpenID Connect is an identity authorization layer which supplements the OAuth 2.0 protocol.
Configuration
Use the Realms API to configure this realm type:
curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST http://<managed-fusion-url>:6764/api/realm-configs -d @./realm-config.json
Below is a sample configuration:
{
"realmType": "oidc",
"name": "{your_oidcName}",
"enabled": true,
"roleNames": [
"admin"
],
"config": {
"autoCreateUsers": true,
"groups": {
"roleMapping": [
[
"role_user",
"admin"
]
]
},
"code": {
"clientSecret": "{your_clientSecret}",
"redirectUri": "{your_redirectUri}",
"authorizationUri": "{your_authorizationUri}",
"tokenUri": "{your_tokenUri}"
},
"clientId": "{your_clientId}",
"jwkSetUri": "{your_jwkSetUri}",
"userIdAttribute": "email",
"scope": [
"openid",
"email",
"profile"
]
}
},Required fields
| Field | Description | Example |
|---|---|---|
|
Name of the OIDC realm. |
|
|
A secret value shared between the application and the authentication server. |
N/A |
|
The URI that displays after the user signs in. |
|
|
The authorization server URI. |
|
|
The URI where the access token is obtained. |
|
|
A unique value which identifies the client. |
N/A |
|
The URL of the authorization server’s JSON Web Key Set (JWKS). |
|
Google authentication
For authenticating with Google, use Google’s OpenID Configuration to retrieve the required values for authorizationUri, tokenUri, jwkSetUri, and issuer.
Okta authentication
OpenID Connect authentication with Okta involves mapping Okta groups to Managed Fusion roles. The Okta group information can be retrieved from Okta’s admin view:
-
Navigate to API > Authorization Server.
-
Select the server to configure for mapping.
-
In the Scope menu, add the authentication groups.
-
In the Claims menu, add new claim groups with ID token and set regexp to
.*, which exposes all groups.