Data Broker Documentation Index
Configuration Reference Home

Identity Provider Service

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

Identity Provider Service contains the properties that affect the Data Broker OAuth service.

Relations from This Component
Properties
dsconfig Usage

Relations from This Component

The following components have a direct aggregation relation from Identity Provider Services:

Properties

The properties supported by this managed object are as follows:


General Basic Properties: Advanced Properties:
↓ identity-scim-resource-type  None
↓ default-login-success-url
↓ default-logout-success-url
↓ default-identity-authenticator
OAuth2 and OpenID Connect Basic Properties: Advanced Properties:
↓ authorization-code-validity-duration  None
↓ access-token-validity-duration
↓ refresh-token-validity-duration
↓ id-token-validity-duration
↓ id-token-issuer-name
↓ signing-algorithm
↓ access-token-signing-key-pair
↓ access-token-signing-algorithm
Self-service Account Flows Basic Properties: Advanced Properties:
↓ register-enabled  None
↓ register-resource-attribute
↓ recover-username-enabled
↓ recover-username-search-filter
↓ recover-username-validity-duration
↓ recover-username-full-text
↓ recover-username-compact-text
↓ recover-username-subject
↓ recover-password-enabled
↓ recover-password-search-filter
↓ recover-password-full-text
↓ recover-password-compact-text
↓ recover-password-subject
↓ recaptcha-key
↓ recaptcha-secret

Basic Properties

identity-scim-resource-type

Property Group
General
Description
The SCIM Resource Type containing the credentials and attributes of identities that may be authenticated by the Data Broker. The Data Broker will perform authentication against this SCIM Resource Type using the credentials provided through the login UIs and REST APIs. Attributes of the authenticated identity may be retrieved and provided to applications via the SCIM /Me endpoint and/or OpenID Connect claims. If required, the Data Broker may also capture consent from the authenticated identity as part of the authorization flow. Lastly, account management, password management, consent management, external identity provider login/linking, and self-registration will also be performed against identities in this SCIM Resource Type. The SCIM Resource Type must be configured with a primary LDAP store adapter connected to an UnboundID Data Store or an UnboundID Proxy Server.
Default Value
Authentication, authorization, and identity provider services will be unavailable
Allowed Values
The DN of any SCIM Resource Type. The associated SCIM Resource Type must exist and must be enabled.
Multi-Valued
No
Required
No
Admin Action Required
Ensure the mapped SCIM Resource Type attributes in the self-registration form template, OpenID Connect claim mappings, and external identity provider attribute mappings correctly reference attributes from the SCIM Resource Type schema(s).

default-login-success-url

Property Group
General
Description
The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication.
Default Value
/
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
The Data Broker must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted

default-logout-success-url

Property Group
General
Description
The URL that will be redirected to after successful logout, if the post_logout_redirect_uri request parameter is not available.
Default Value
/
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
The Data Broker must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted

default-identity-authenticator

Property Group
General
Description
Specifies the default authenticator that will be used to initiate the authentication process.
Default Value
None
Allowed Values
The DN of any Identity Authenticator. The associated authenticator must be enabled.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

authorization-code-validity-duration

Property Group
OAuth2 and OpenID Connect
Description
Specifies the default validity duration of an authorization code. Applications may also specify a different validity duration that is specific to authorization codes generated for that application and will override this property.
Default Value
1 m
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

access-token-validity-duration

Property Group
OAuth2 and OpenID Connect
Description
Specifies the default validity duration of an access token. Applications may also specify a different validity duration that is specific to access tokens granted for that application and will override this property.
Default Value
12 h
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

refresh-token-validity-duration

Property Group
OAuth2 and OpenID Connect
Description
Specifies the default validity duration of a refresh token. Applications may also specify a different validity duration that is specific to refresh tokens generated for that application and will override this property. A value of "0 s" will disable the generation of refresh tokens.
Default Value
30 d
Allowed Values
A duration. Lower limit is 0 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

id-token-validity-duration

Property Group
OAuth2 and OpenID Connect
Description
Specifies the default validity duration of an OpenID Connect ID Token. Applications may also specify a different validity duration that is specific to id tokens granted for that application and will override this property.
Default Value
15 m
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

id-token-issuer-name

Property Group
OAuth2 and OpenID Connect
Description
Specifies a unique identifier for the Issuer (iss) claim of an ID Token. This value of this property is inserted into a URL of the form https://issuer_name when returned as the unique issuer identifier in an OpenID Connect ID Token. As an initial default, the create-initial-broker-config tool will populate this property with the host name of the Data Broker installation, however it may be may be set to any value appropriate for the service provider.
Default Value
replace_this_value
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

signing-algorithm

Property Group
OAuth2 and OpenID Connect
Description
The default signing algorithm to use when generating an OpenID Connect ID Token. Applications may also specify a different signing algorithm that is specific to responses generated for that application and will override this property.
Default Value
hs256
Allowed Values
hs256 - HMAC using SHA-256 hash algorithm.

hs384 - HMAC using SHA-384 hash algorithm.

hs512 - HMAC using SHA-512 hash algorithm.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

access-token-signing-key-pair

Property Group
OAuth2 and OpenID Connect
Description
The key pair to use to sign the JWTs used for access tokens. The name of the key pair will be included in the token header and will be used to look up the key during validation. An access token will be considered valid as long as the key pair that was used to sign it is still defined.
Default Value
OAuth 2 and OpenID Connect services will be unavailable
Allowed Values
The DN of any Key Pair.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

access-token-signing-algorithm

Property Group
OAuth2 and OpenID Connect
Description
The algorithm to use when signing access tokens.
Default Value
RS512
Allowed Values
RS256 - RSASSA-PKCS1-v1_1 using SHA-256.

RS384 - RSASSA-PKCS1-v1_1 using SHA-384.

RS512 - RSASSA-PKCS1-v1_1 using SHA-512.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

register-enabled

Property Group
Self-service Account Flows
Description
Specifies whether or not the register self-service account flow should be enabled. When disabled, the link will not be rendered on the login view and any attempts to access the register endpoint will result in a 403 Forbidden HTTP status code.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

register-resource-attribute

Property Group
Self-service Account Flows
Description
The resource attribute paths that the register self-service account flow should allow the client to set. Registration will fail if a client submits a resource with attributes having paths that are not in this list. Examples of valid attribute paths are:
  • 'name' - The 'name' attribute at the top level of the SCIM Resource Type resource.
  • 'urn:extension:organization' - The 'organization' attribute of a schema extension with URN 'urn:extension'.
  • 'addresses[type eq "preferred"].postalCode' - The postalCode sub-attribute of the address where the sub-attribute type equals 'preferred'. Only the equality filter on the type sub-attribute is supported as the value filter.

Default Value
No attribute paths are allowed.
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

recover-username-enabled

Property Group
Self-service Account Flows
Description
Specifies whether or not the username recovery self-service account flow should be enabled. When disabled, the link will not be rendered on the login view and any attempts to access the username recovery endpoint will result in a 403 Forbidden HTTP status code.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
If enabled, the Data Store should be configured with an OTP Delivery Mechanism and a single-use-tokens Extended Operation Handler.

recover-username-search-filter

Property Group
Self-service Account Flows
Description
Specifies the SCIM search filter used when the username recovery self-service account flow searches for the account to recover.
Default Value
emails.value eq "$0" or phoneNumbers.value eq "$0"
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-username-validity-duration

Property Group
Self-service Account Flows
Description
Specifies the duration the username recover code is valid before expiring.
Default Value
5 m
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-username-full-text

Property Group
Self-service Account Flows
Description
Specifies the full text sent with the username recover code when the OTP mechanism supports long text.
Default Value
Username Recovery Code: $0
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-username-compact-text

Property Group
Self-service Account Flows
Description
Specifies the compact text sent with the username recover code when the OTP mechanism does not support long text.
Default Value
Username Recovery Code: $0
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-username-subject

Property Group
Self-service Account Flows
Description
Specifies the subject sent with the username recover code when the OTP mechanism supports subjects.
Default Value
Username Recovery Code
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-password-enabled

Property Group
Self-service Account Flows
Description
Specifies whether or not the password recovery self-service account flow should be enabled. When disabled, the link will not be rendered on the login view and any attempts to access the password recovery endpoint will result in a 403 Forbidden HTTP status code.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
If enabled, the Data Store should be configured with an OTP Delivery Mechanism and a deliver-password-reset-token Extended Operation Handler.

recover-password-search-filter

Property Group
Self-service Account Flows
Description
Specifies the SCIM search filter used when the password recovery self-service account flow searches for the account to recover.
Default Value
userName eq "$0" or emails.value eq "$0" or phoneNumbers.value eq "$0"
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-password-full-text

Property Group
Self-service Account Flows
Description
Specifies the full text sent with the password change code when the OTP mechanism supports long text.
Default Value
Password Change Code: $0
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-password-compact-text

Property Group
Self-service Account Flows
Description
Specifies the compact text sent with the password change code when the OTP mechanism does not support long text.
Default Value
Password Change Code: $0
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recover-password-subject

Property Group
Self-service Account Flows
Description
Specifies the subject sent with the password change code when the OTP mechanism supports subjects.
Default Value
Password Change Code
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recaptcha-key

Property Group
Self-service Account Flows
Description
Specifies the Google reCAPTCHA API key the register and recovery self-service account flows should use. If a key is not specified, reCAPTCHA will not be used by those flows.
Default Value
reCAPTCHA will not be used
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

recaptcha-secret

Property Group
Self-service Account Flows
Description
Specifies the Google reCAPTCHA API secret the register and recovery self-service account flows should use. If a secret is not specified, reCAPTCHA will not be used by those flows.
Default Value
reCAPTCHA will not be used
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To view the Identity Provider Service configuration:

dsconfig get-identity-provider-service-prop
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the Identity Provider Service configuration:

dsconfig set-identity-provider-service-prop
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...