...
Anchor OIDCServerConfig OIDCServerConfig
OIDC Server Configuration
| OIDCServerConfig | |
| OIDCServerConfig |
- If you have not already done so, register DTP with your OpenID Connect identity provider.
- issuerUri
- clientId
- clientSecret
- Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The following redirect URIs that should be registered:
Required:
http(s)://<HOST><DTP_HOST>:<PORT>/pst/login/oauth2/code/dtp<DTP_HOST>http(s)://<HOST>:<PORT>/pstsec/login/oauth2/code/dtp(User Administration)<DTP_HOST>http(s)://<HOST>:<PORT>/grs/login/oauth2/code/dtp(Required for Report Center/Enterprise Pack)
Optional . The (The following redirect URIs are optional and only need to be registered to enable log in directly through individual applications:.)
http(s)://<HOST><DTP_HOST>:<PORT>/licenseserver/login/oauth2/code/dtp(License Server)http(s)://<DATA_COLLECTOR_URL>/login/oauth2/code/dtp(Data Collector)
...
Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure the OIDC provider properties used by DTPby DTP.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
{
"username": "preferred_username",
"firstName": "given_name",
"lastName": "family_name",
"email": "email"
},
"adminUsers": []
} |
The The oidc.json file should be configured prior to the admin users logging in for the first time, otherwise the users will be added to the database without the permissions necessary for performing administrative functions.
...
The following examples are intended to help you understand how to connect DTP to your identity access management system. Refer to the documentation for your software for implementation details.
Keycloak
The following configurations are prerequisites for configuring OpenID Connect for Keycloak as described in this example:
Keycloak
...
...
<HOST>:<PORT>/*(default windows port is 80, linux port is 8080)<HOST>:8314/*<HOST>:8082/*(for Data Collector upload form)
...
In this example, demo is the name of the realm, and two administrator users (admin1 and admin2) will be created.
...
Azure (Microsoft Entra ID)
As a prerequisite, you must configure authentication for the Azure app to allow the following web redirect URIs:
https://<DTP_HOST>:<PORT>/grs/login/oauth2/code/dtphttps://<DTP_HOST>:<PORT>/licenseserver/login/oauth2/code/dtphttps://<DTP_HOST>:<PORT>/pst/login/oauth2/code/dtphttps://<DTP_HOST>:<PORT>/pstsec/login/oauth2/code/dtp
...
The following example demonstrates how to configure OpenID Connect for Azure. In this example, two administrator users ([email protected] and [email protected]) will be created.
| Code Block | ||
|---|---|---|
| ||
{
"enabled": true,
"issuerUri": "https://login.microsoftonline.com/<tenantId>/v2.0",
"clientId": "<clientId-from-Azure>",
"clientSecret": "<clientSecret-from-Azure>",
"scopes": ["openid", "profile", "email"],
"claimMappings": {
"username": "email",
"firstName": "given_name",
"lastName": "family_name",
"email": "email"
},
"adminUsers": [
"[email protected]",
"[email protected]"
]
} |
The claimMappings uses fields from the response to https://graph.microsoft.com/oidc/userinfo, which contains a limited set of fields. The following contains an example response for the user with the email address [email protected].
| Code Block | ||
|---|---|---|
| ||
{
"sub": "<unique value for user>",
"name": "Jane Jones",
"given_name": "Jane",
"family_name": "Jones",
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
"email": "[email protected]"
} |
...