External Identity Providers¶
IFS IAM can be configured to use external Identity Providers(IDP). This document describes how an external Identity Provider can be integrated with IFS IAM.
** Please note: IFS IAM supports only OpenID Connect(OIDC) providers.
Add External Identity Provider in IFS IAM¶
Go to Solution Manager > Users and Permissions > Identity and Access Manager > IAM Identity Providers and press Create
Configure External Identity Provider in IFS IAM¶
After pressing Create, the following page will be displayed. When an IDP Id is given, a Redirect Uri will be created. Use that URI when performing the setup in the external identity provider. And then obtain the authorization endpoint and token endpoint from the external IDP.
Field | Description |
---|---|
IDP Id | Unique identifier for the Identity Provider |
Name | Display name for the login |
Redirect Uri | Redirect Uri to use when configuring the external identity provider |
Enabled | Turn the provider on/off |
Trust Email | If the identity provider supplies an email address this email address will be trusted. If IFS IAM required email validation, users that log in from this IDP will not have to go through the email verification process |
Link Only | When this switch is on, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider though |
Hidden | When this switch is on, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the 'kc_idp_hint' parameter in the URL they use to request a login |
Gui Order | The order number that sorts how the available IDPs are listed on the login page |
Sync Mode | Determines the method to sync user details. If Import is chosen the user details will not be updated, and if Force is chosen, the user details will be updated when possible. |
Authorization Endpoint | Authorization URL endpoint required by the OIDC protocol |
Token Endpoint | Token URL endpoint required by the OIDC protocol |
Logout Endpoint | Logout URL endpoint defined in the OIDC protocol. This value is optional |
User Info Endpoint | User Info URL endpoint defined by the OIDC protocol. This is an endpoint from which user profile information can be downloaded |
Disable User Info | Disable usage of user info service to obtain additional user information |
Pass Login Hint | Pass Login_hint to identity provider |
Pass UI Locale | Pass the current locale to the identity provider as a ui_locales parameter |
Backchannel Logout | Backchannel logout is a background, out-of-band, REST invocation to the IDP to logout the user. Some IDPs can only perform logout through browser redirects as they may only be able to identity sessions via a browser cookie |
Client Auth Method | Switch to define the Client Authentication method to be used with the Authorization Code Flow. In the case of JWT signed with private key, the realm private key is used. In the other cases, a client secret has to be defined |
Client Id | This realm will act as an OIDC client to the external IDP. Your realm will need an OIDC client ID when using the Authorization Code Flow to interact with the external IDP |
Client Secret | This realm will need a client secret to use when using the Authorization Code Flow. The value of this field can refer a value from an external vault |
Issuer | Responses from the IDP may contain an issuer claim. This config value is optional. If specified, this claim will be validated against the value you provide |
Scopes | Space-separated list of OIDC scopes to send with the authentication request. The default is openid |
Validate Signatures | Another optional switch. This is to specify if IFS IAM will verify the signatures on the external ID Token signed by this identity provider. If this is on, the IFS IAM will need to know the public key of the external OIDC identity provider. See below for how to set it up. WARNING: For the performance purposes, IFS IAM caches the public key of the external OIDC identity provider. If you think that private key of your identity provider was compromised, it is obviously good to update your keys, but it’s also good to clear the keys cache |
Acceptable Clock Skew | Clock skew in seconds that is tolerated when validating IDP tokens. Default value is zero |
Attribute Mapping¶
By default, Identity brokering uses email as your Directory ID. If the external identity provider configured to use something else other than email, use an attribute mapper to change the default settings.
Please remove the User Infor endpoint from the IDP Configurations in order to work with Arritue Mappers.
Add Attribute Mapper¶
- Login to the Solution Manager with Admin user.
- Navigate to IDP Attribute Mapper.
- Create a new mapper.
- Use any value to the name.
- Use the correct active directory attribute that you use for Directory ID (Username) for Claim.