Configure OpenID Connect Authentication

The OpenID Connect protocol is widely supported by SSO identity providers, including Google, PingFederate, AD FS, Okta, Microsoft Entra ID (formerly known as Azure Active Directory), Microsoft, or SalesForce.com.

Semarchy xDM supports authentication with such providers using OpenID Connect identity providers.

Supported Capabilities

With an OpenID Connect IDP, the authenticating user is redirected to the OpenID Connect issuer for SSO and is authenticated using a Client ID and Client Secret provided by the issuer.

After the authentication, the username is returned in the Username Claim, and the list of roles is returned in a Role Claim.

The profile properties are synchronized from Claims mapped by their name. These claims should be included in the list of Additional Scopes to request from the IDP.

Configuration

To configure OpenID Connect authentication, follow the steps to configure an identity provider with the OpenID Connect type, using the properties listed in the following table for reference.

Property Definition

Connectivity
The following properties configure the connection and exchanges for OpenID Connect authentication.

Issuer Identifier

OpenID Connect issuer, typically a URL. This property is mandatory. For example https://accounts.google.com.

Client ID

Client ID used to authenticate to the OpenID Connect service. This property is mandatory.

Client Secret

Client secret used to authenticate to the OpenID Connect service. This property is mandatory.

Redirect URL

URL to which the identity provider should return the user after authentication. This property is read-only. The default generated value is <host-base-url>/login/oauth2/code/<idp-name>, where <host-base-url> is the base URL by which you access Semarchy xDM.

In high-availability architectures, you can access Semarchy xDM via two URLs:

One for the Active Node, using the host and port of the active node.
One for Load Balancer routing the traffic on the passive nodes, using the host and port of the load balancer.

Make sure to configure both these URLs in the third-party IDP for redirection to work for both the active and load-balanced passive nodes.

Logout URL

Identity provider URL to perform SSO logout. If unspecified, only a local logout is performed.

User Authentication
The following properties configure how user information is retrieved.

Additional Scopes

Comma-separated list of additional scopes requested from the identity provider, in addition to the openid, email, and profile scopes requested by default. These scopes return a set of claims as defined in the identity provider. Note that OpenID Connect providers return no value when requesting an unknown scope.

Username Claim

ID Token claim containing the user name. This property is mandatory. The default value is email

Roles
The following properties are used to retrieve the roles of an authenticated user.

Roles Claim

Claim mapped to the list of roles. The default value is groups.

Roles Claim Separator

Character separating roles in the roles claim token if the role claim is a delimited string. The default value is ,.

Advanced
The following properties cover specific configuration situations.

Extra Parameters

Extra parameters added to the query string of the identity provider authorization endpoint URL. The value is a JSON object with keys being the parameter names and value being the parameter values. For example, Google supports a specific HD parameter to limit the accounts to a specific domain.

Provider Document URL

If the identity provider is not using the standard document endpoint /well-known/openid-configuration, use this property to specify the configuration document URL.

Profile Synchronization

With OpenID Connect, each profile attribute may be mapped to a claim by its name. The identity provider must be configured accordingly to have this claim returned in the Additional Scopes.