Configuring an OIDC Authentication Provider
Introduction
OneAccess allows you to configure the OIDC protocol as the authentication provider to log in to each system for better login modes and experience.
OIDC is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. For details, see Welcome to OpenID Connect.
This section describes how to integrate a third-party authentication provider with OneAccess through OIDC. OKta is used as an example.
Prerequisites
- You have administrator permissions for the Okta platform. For details, see the documentation of the Okta platform.
- You have permissions to access the administrator portal.
Creating an Application on Okta
Create an application and configure authorization information for OneAccess on the Okta platform to establish a trust on OneAccess.
- Log in to the Okta platform.
- On the Okta platform, choose Applications > Add Application, click Create New App, and set the application parameters. For details, see the documentation of the Okta platform.
When you configure the application, set Login redirect URIs to the invocation address automatically generated for the authentication provider that you have added in OneAccess. For details, see Table 1. For example: https://xxx.huaweioneaccess.com/api/v1/oidc/sso/2***71-8***-D***1.
Figure 1 Configuring parameters
Figure 2 Configuring login redirect URIs
- Configure the application parameters and authorize access to specific users. For details, see the documentation of the Okta platform.
Figure 3 Configuring application parameters
Figure 4 Authorizing users
Adding an OIDC Authentication Provider
Add an OIDC authentication provider and configure the application information in OneAccess.
- Log in to the administrator portal.
- In the navigation pane, choose Authentication > Authentication Providers > Enterprise Authentication Providers > OIDC, and set parameters.
- On the OIDC Authentication Providers page, click Add Authentication Provider in the upper right corner and set the parameters required.
Figure 5 Configuring parameters
Table 1 Configuring parameters Parameter
Mandatory
Description
Icon
No
Upload a PNG, JPG, or GIF image whose size does not exceed 50 KB. The recommended size is 32 x 32 pixels.
Display Name
Yes
Display name of the authentication provider, for example, OpenID Connect.
Authentication Type
Yes
User authentication type. Select Initiated by user.
NOTE:- The authentication type cannot be changed once specified.
- If authentication is initiated from the application side, select Initiated by authentication provider.
Public Key Format
Yes
Select a public key format based on the application.
Public Key
Yes
Obtain the public key displayed in jwks_uri of OIDC or from the authentication provider administrator. The public key must match the selected public key format.
- If the public key format is JWKURL, the public key is https://{Okta domain name}/oauth2/v1/keys.
- If the public key format is JSON, the public key is the value in https://{Okta domain name}/oauth2/v1/keys.
Signature Algorithm
Yes
The default value is RS256.
Audience
Yes
If Authentication Type is set to Initiated by authentication provider, set this parameter to the value of Audience generated for the application created in 1.
Process Type
Yes
Select a process type based on the application configuration. For example, select Authorization code from the drop-down list.
response Type
Yes
The default value is code.
Scope
Yes
Corresponds to the value of scopes of the OIDC authentication provider. The value of this parameter must contain openid. For example, openid email.
AuthrozationUrl
Yes
Corresponds to the value of EMBED LINK of the OIDC authentication provider.
Clientld
Yes
Corresponds to the value of Client ID of the OIDC authentication provider.
PKCE
Yes
By default, this option is disabled. If Authentication Type is set to Initiated by user, enable this option.
TokenUrl
Yes
Token address, which you can obtain from token_endpoint of OIDC. The format is https://{Okta domain name}/api/v1/oauth2/token.
LogoutUrl
No
Global logout address of the application, which you can obtain from the application.
Callback URL
Yes
Corresponds to the Login redirect URIs parameter of the application. The value of this parameter is automatically generated.
Source Attribute
Yes
Unique user attribute on the OIDC authentication provider side. For example, Email.
Related User Attribute
Yes
OneAccess user attribute that maps the user attribute of the OIDC authentication provider. For example, Email.
No User Associated
Yes
Operation that will be performed if a user successfully logs in through OIDC authentication but fails to be associated with a system user. For example, Automatically create users.
To map other attributes, such as full name, set No User Associated to Automatically create users, and add the desired mappings. For details, see Table 2.
Table 2 Mapping parameters Parameter
Description
User Attribute
Attribute (such as full name) in OneAccess that maps to the OIDC application.
Mapping Type
Mode of user attribute mapping between OneAccess and the OIDC application.
NOTE:- If Mapping Type is set to Authentication Provider Attribute, Source Attribute is required.
- If Mapping Type is set to Fixed Attribute Value, Fixed Attribute Value is required.
- If Mapping Type is set to Script-based, Script is required.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
