...
If you have not already done so, register register User Administration with your OpenID Connect identity provider. You can get the values for the attributes used in the oidc.json file from the authorization server (Keycloak, connect2id, etc.and so on).
Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The
<pstsec>/pstsec/login/oauth2/code/dtpURI should be registered.
...
| Attribute | Value | Description | |
|---|---|---|---|
enabled | boolean | Enables or disables OIDC authentication. Default is false. | |
issuerUri | string | Specifies the value of the issureUri parameter is the URI of the Authorization Server. The URI will be appended with /.well-known/openid-configuration to build the complete discovery endpoint when file is processed. | |
clientId | string | Specifies the public identifier registered for License Server with your OIDC provider. | |
clientSecret | string | Specifies the client secret for License Server. | |
encryptedClientSecret | string | Specifies the client secret for License Server as an encrypted string. You can use this attribute instead of This value can be encoded using the | |
scopes | array of strings | Defines the set of user information that the OIDC server will provide to the client. License Serverprimarily Server primarily uses values specified in the array to gain access to the user claims. The The following array is defined by default:
| |
claimMappings | object | Represents information about users. | |
username | string | Specifies the value mapped to the username claimed in OIDC. Default is preferred_username. | |
firstName | string | Specifies the value mapped to the first name claimed in OIDC. Default is given_name. | |
lastName | string | Specifies the value mapped to the last name claimed in OIDC. Default is family_name. | |
email | string | Specifies the value mapped to the email claimed in OIDC. Default is email. | |
adminUsers | array of strings | Specifies existing users in your organization that should be granted administrator privileges upon logging in. | |
...
- Keycloak should be using RS256 as the default signature algorithm.
- The access token from Keycloak should include user information available that can also be retrieved from the Keycloak
userinfo APIendpoint. - The following redirect URIs should be registered:
- host
<HOST>:port<PORT>/*(default windows port is 80, linux port is 8080) - host
<HOST>:8314/* - host
<HOST>:8082/*(for Data Collector upload form)
- host
In this example, demo is is the name of the realm, and two administrator users (admin1 and admin2) will be created.
| No Format |
|---|
"enabled": true, "issuerUri": "https://host:8095/auth/realms/demo/", "clientId": "pstsec", "clientSecret": "4d35ef23-aec5-44d7-9c59-18092bd619e8", "scopes": ["openedopenid","profile","email"], "claimMappings": { "username": "preferred_name", "firstName": "given_name", "lastName": "family_name", "email": "email" } "adminUsers": ["admin1","admin2"] |
...
| No Format |
|---|
"enabled": true, "issuerUri": "https://accounts.google.com", "clientId": "<clientId-from-google>", "clientSecret": "<clientSecret-from-google>", "scopes": ["openedopenid","profile","email"], "claimMappings": { "username": "given_name", "firstName": "given_name", "lastName": "family_name", "email": "email" } "adminUsers": ["admin1","admin2"] |
...
The following example demonstrates how to configure OpenID Connect for connect2id. Users must access User Administration over over HTTPS when using connect2id as the OpenID Connect provider.In this example, c2id is the name of the realm. Two administrator users (admin1 and admin2) will be created.
| No Format |
|---|
"enabled": true, "issuerUri": "https://host:port/c2id", "clientId": "<clientId-from-c2id>", "clientSecret": "<clientSecret-from-c2id>", "scopes": ["openedopenid","profile","email"], "claimMappings": { "username": "sub", "firstName": "given_name", "lastName": "family_name", "email": "email" } "adminUsers": ["admin1","admin2"] |
...
As a prerequisite, you must configure authentication for the Azure app to allow the following web redirect URIs:
https://<DTPhost and port>_HOST>:<PORT>/grs/login/oauth2/code/dtphttps://<DTPhost and port>_HOST>:<PORT>/licenseserver/login/oauth2/code/dtphttps://<DTPhost and port>_HOST>:<PORT>/pst/login/oauth2/code/dtphttps://<DTPhost and port>_HOST>:<PORT>/pstsec/login/oauth2/code/dtp
The port is not required if the host uses the default HTTPS port 443.
The following example demonstrates how to configure OpenID Connect for Azure. In this example, two administrator users ([email protected] and johnand john[email protected]) will be created.
| Code Block | ||
|---|---|---|
| ||
{
"enabled": true,
"issuerUri": "https://login.microsoftonline.com/<tenantId>/v2.0",
"clientId": "<clientId-from-Azure>",
"clientSecret": "<clientSecret-from-Azure>",
"scopes": ["openid", "profile", "email"],
"claimMappings": {
"username": "email",
"firstName": "given_name",
"lastName": "family_name",
"email": "email"
},
"adminUsers": [
"[email protected]",
"[email protected]"
]
} |
The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields. The following contains an example response for the user with the email address [email protected].
| Code Block | ||
|---|---|---|
| ||
{
"sub": "<unique value for user>",
"name": "Jane Jones",
"given_name": "Jane",
"family_name": "Jones",
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
"email": "[email protected]"
} |
...
You must pass the token for every API call, regardless of the method. In the following example, a token with the value "1234567890" is is passed to the DTP build API endpoint.
...