Product Selector

Fusion 5.12
    Fusion 5.12

    Configure OpenID Connect authentication

    OpenID Connect is an identity authorization layer which supplements the OAuth 2.0 protocol.

    Managed Fusion’s OpenID Connect security realm has been tested with Google and Okta.

    Configuration

    Use the Realms API to configure this realm type:

    curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST http://<managed-fusion-url>:6764/api/realm-configs -d @./realm-config.json

    Below is a sample configuration:

      {
        "realmType": "oidc",
        "name": "{your_oidcName}",
        "enabled": true,
        "roleNames": [
            "admin"
         ],
        "config": {
          "autoCreateUsers": true,
          "groups": {
            "roleMapping": [
              [
                "role_user",
                "admin"
              ]
            ]
          },
          "code": {
            "clientSecret": "{your_clientSecret}",
            "redirectUri": "{your_redirectUri}",
            "authorizationUri": "{your_authorizationUri}",
            "tokenUri": "{your_tokenUri}"
          },
          "clientId": "{your_clientId}",
          "jwkSetUri": "{your_jwkSetUri}",
          "userIdAttribute": "email",
          "scope": [
            "openid",
            "email",
            "profile"
          ]
        }
      },

    Required fields

    Field Description Example

    name

    Name of the OIDC realm.

    oidc

    clientSecret

    A secret value shared between the application and the authentication server.

    N/A

    redirectUri

    The URI that displays after the user signs in.

    https://EXAMPLE_COMPANY.b.lucidworks.cloud:6764/admin

    authorizationUri

    The authorization server URI.

    https://${yourOktaDomain}/oauth2/default/v1/authorize

    tokenUri

    The URI where the access token is obtained.

    https://${yourOktaDomain}/oauth2/default/v1/token

    clientId

    A unique value which identifies the client.

    N/A

    jwkSetUri

    The URL of the authorization server’s JSON Web Key Set (JWKS).

    https://${yourOktaDomain}/oauth2/default/v1/keys

    Google authentication

    For authenticating with Google, use Google’s OpenID Configuration to retrieve the required values for authorizationUri, tokenUri, jwkSetUri, and issuer.

    Okta authentication

    OpenID Connect authentication with Okta involves mapping Okta groups to Managed Fusion roles. The Okta group information can be retrieved from Okta’s admin view:

    1. Navigate to API > Authorization Server.

    2. Select the server to configure for mapping.

    3. In the Scope menu, add the authentication groups.

    4. In the Claims menu, add new claim groups with ID token and set regexp to .*, which exposes all groups.