Skip to content

External Identity Providers

IFS IAM can be configured to use external Identity Providers(IDP). This document describes how an external Identity Provider can be integrated with IFS IAM.

** Please note: IFS IAM supports only OpenID Connect(OIDC) providers.

Add External Identity Provider in IFS IAM

Go to Solution Manager > Users and Permissions > Identity and Access Manager > IAM Identity Providers and press Create

Configure External Identity Provider in IFS IAM

After pressing Create, the following page will be displayed. When an IDP Id is given, a Redirect Uri will be created. Use that URI when performing the setup in the external identity provider. And then obtain the authorization endpoint and token endpoint from the external IDP.

Field Description
IDP Id Unique identifier for the Identity Provider
Name Display name for the login
Redirect Uri Redirect Uri to use when configuring the external identity provider
Enabled Turn the provider on/off
Store Token Whether or not to store the token received from the identity provider
Trust Email If the identity provider supplies an email address this email address will be trusted. If IFS IAM required email validation, users that log in from this IDP will not have to go through the email verification process
Link Only When this switch is on, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider though
Hidden When this switch is on, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the 'kc_idp_hint' parameter in the URL they use to request a login
Gui Order The order number that sorts how the available IDPs are listed on the login page
Sync Mode Determines the method to sync user details. If Import is chosen the user details will not be updated, and if Force is chosen, the user details will be updated when possible.
Authorization Endpoint Authorization URL endpoint required by the OIDC protocol
Token Endpoint Token URL endpoint required by the OIDC protocol
Logout Endpoint Logout URL endpoint defined in the OIDC protocol. This value is optional
User Info Endpoint User Info URL endpoint defined by the OIDC protocol. This is an endpoint from which user profile information can be downloaded
Disable User Info Disable usage of user info service to obtain additional user information
Pass Login Hint Pass Login_hint to identity provider
Pass UI Locale Pass the current locale to the identity provider as a ui_locales parameter
Backchannel Logout Backchannel logout is a background, out-of-band, REST invocation to the IDP to logout the user. Some IDPs can only perform logout through browser redirects as they may only be able to identity sessions via a browser cookie
Client Auth Method Switch to define the Client Authentication method to be used with the Authorization Code Flow. In the case of JWT signed with private key, the realm private key is used. In the other cases, a client secret has to be defined
Client Id This realm will act as an OIDC client to the external IDP. Your realm will need an OIDC client ID when using the Authorization Code Flow to interact with the external IDP
Client Secret This realm will need a client secret to use when using the Authorization Code Flow. The value of this field can refer a value from an external vault
Issuer Responses from the IDP may contain an issuer claim. This config value is optional. If specified, this claim will be validated against the value you provide
Scopes Space-separated list of OIDC scopes to send with the authentication request. The default is openid
Validate Signatures Another optional switch. This is to specify if IFS IAM will verify the signatures on the external ID Token signed by this identity provider. If this is on, the IFS IAM will need to know the public key of the external OIDC identity provider. See below for how to set it up. WARNING: For the performance purposes, IFS IAM caches the public key of the external OIDC identity provider. If you think that private key of your identity provider was compromised, it is obviously good to update your keys, but it’s also good to clear the keys cache
Acceptable Clock Skew Clock skew in seconds that is tolerated when validating IDP tokens. Default value is zero

Attribute Mapping

By default, Identity brokering uses email as your Directory ID. If the external identity provider configured to use something else other than email, use an attribute mapper to change the default settings.

Please remove the User Infor endpoint from the IDP Configurations in order to work with Arritue Mappers.

Add Attribute Mapper

  • Login to the Solution Manager with Admin user.
  • Navigate to IDP Attribute Mapper.
  • Create a new mapper.
  • Use any value to the name.
  • Use the correct active directory attribute that you use for Directory ID (Username) for Claim.