Versions Compared

Version Old Version 1 New Version Current
Changes made by

Jeremey Laprise

Alec Berger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Step 1

From the Administration navigation pane, select OAuth Single Sign-On. The OAuth Single Sign-On page displays.
 
Image RemovedImage Added

Step 2

Enter / select your OAuth Single Sign-On, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

Step 3

Click the button.

...

Field NameDescription
DetailsThis section contains detailed information on the OAuth Single Sign-On.

OAuth Single Sign-On

If enabled, turns on OAuth Single Sign-On.

If disabled, all fields are read-only.

Anchor
provisioning
provisioning
User Provisioning

Turn on or off the provisioning of users through Access or ID Token attributes.

Select the application access method(s) you want User Provisioning to be applied.

Issuer URI

Universal Controller uses the Issuer URI for discovery of the OpenID Connect / OAuth 2.0 protocol endpoints for authenticating users.

One of the following must be a supported endpoint for the authorization server, referred to as a Provider Configuration endpoint or a Authorization Server Metadata endpoint.

{Issuer URI}/.well-known/openid-configuration

{Issuer URI Host}/.well-known/openid-configuration/{Issuer URI Path}

{Issuer URI Host}/.well-known/oauth-authorization-server/{Issuer URI Path}

Scopes

List of OAuth scopes. Default is "openid".

Client Id

Client identifier for the Universal Controller Web Application required for OAuth flows.

Client Secret

Client secret used for client authentication with the authorization server.

Proof Key for Code Exchange (PKCE)

Authorization Code grant type requires PKCE as additional verification.

User Id (Username) Claim Name

Specifies the name of a specific claim / attribute to identify the Universal Controller User Id (Username).

If left unspecified will default to the Subject identifier (sub).

Cluster Node Base Redirect URLs

Cluster Node Base Redirect URLs are used to construct the sign-in redirection endpoint for each Cluster Node and are specified as a URL with protocol, server, port, and context path

scheme://server:port/contextPath

If not specified, defaults to values from the request using the Host header value, if any, or the resolved server name (or server IP address) and server port the client connection was accepted on.

It is recommended that you specify the Base Redirect URL for each Cluster Node rather than rely on the Host header value for redirection endpoint resolution.

The fully qualified sign-in redirection endpoint for each Cluster Node will be:

{Cluster Node Base Redirect URL}/login/oauth2/code/default

Each Cluster Node's fully qualified sign-in redirection endpoint must be added to your registered application in the authorization server.

OAuth Bearer Token Validation

Choose the type of OAuth2 Bearer Token authentication supported for Universal Controller Web Service API endpoints.

  • None

  • Opaque Token

  • JWT

If None, then only Basic and Personal Access Token authentication are supported.

Introspection URIIf OAuth Bearer Token Validation Opaque Token; The introspection endpoint URI.
JWK Set URIIf OAuth Bearer Token Validation = JWT; 

Specifies a JSON Web Key (JWK) endpoint that contains public keys used for Access and ID Token verification.

If left unspecified, Universal Controller will use the Issuer URI to query the Provider Configuration or Authorization Server Metadata endpoint for the JWK Set URI.

Audience Claim Value

If OAuth Bearer Token Validation = JWT;

Recommended specification of the expected audience claim value so the Universal Controller can validate the Token audience (aud) matches.

Attribute Mappings

If User Provisioning = Web Browser Access and/or Web Service Access; 

This section allows you to configure a mapping between user fields and attributes.

First Name

Name of an attribute from the Access or ID Token containing the user's First Name.

Middle Name

Name of an attribute from the Access or ID Token containing the user's Middle Name.

Last Name

Name of an attribute from the Access or ID Token containing the user's Last Name.

Business Phone

Name of an attribute from the Access or ID Token containing the user's Business Phone.

Home Phone

Name of an attribute from the Access or ID Token containing the user's Home Phone.

Mobile Phone

Name of an attribute from the Access or ID Token containing the user's Mobile Phone.

Email

Name of an attribute from the Access or ID Token containing the user's Email.

Title

Name of an attribute from the Access or ID Token containing the user's Title.

Manager

Name of an attribute from the Access or ID Token containing the user's Manager Name.

Department

Name of an attribute from the Access or ID Token containing the user's Department.

Active

Name of an attribute from the Access or ID Token containing the user's Active condition.

Groups

Name of a multi-valued attribute from the Access or ID Token containing the Group Names the user is a member of.

Universal PortalThis section allows you to set up OAuth Single Sign-On for Universal Portal.
Portal Client IdClient identifier for the Universal Portal Single Page Application required for OAuth flows.
Portal API Scopes

Optionally, specifies the scopes required when requesting an Access Token for the Universal Controller Web Application APIs.

For example, if the Universal Portal SPA needs to specify a custom scope api://{client-id}/resources in addition to openid and profile when requesting an Access Token for the Universal Controller Web Application APIs, you would specify the following.

  • api://{client-id}/resources

  • openid

  • profile

If left unspecified, the Universal Portal SPA will use the Scopes.

Security

OAuth Single Sign-On can be viewed only by users with the ops_admin or ops_sso_admin role, regardless of Navigation Visibility; therefore, only users with the ops_admin or ops_sso_admin role can update OAuth Single Sign-On.

...