Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The External Identity Authenticator may be used to authenticate an end-user with an external identity provider.
↓Parent Component
↓Properties
↓dsconfig Usage
The External Identity Authenticator component inherits from the Identity Authenticator
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ authentication-method-reference | |
| ↓ schema-urn | |
| ↓ external-resource-attribute |
| Description | A description for this Identity Authenticator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
authentication-method-reference
| Description | Specifies identifiers of the authentication methods provided by this External Identity Authenticator. Each value is exposed in the "amr" (authentication method reference) claim in an ID token, and also the "lastLoginMethods" and "lastSecondFactorMethods" properties of a user session SCIM sub-resource. |
| Default Value | external |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The URN which identifies the SCIM extension schema that should contain attributes intended for this External Identity Authenticator in authentication request and response messages. |
| Default Value | urn:pingidentity:scim:api:messages:2.0:ExternalIdentityAuthenticationRequest |
| Allowed Values | A URN begins with 'urn:', is followed by a namespace component that is no more than 32 alpha-numeric characters long, which is followed by one or more colon-delimited identifiers consisting of legal URN characters (letters, digits, and characters in '()+,-.:=@;$_!*'). For example, a URN in the 'acme' namespace might be "urn:acme:identity:User.name". |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The attributes of the external identity resource the External Identity Authenticator will expose to the client when a linked end-user can not be found. The client may use this to provide additional information about the retrieved resource and/or pre-populate a registration form. Examples of valid attribute paths are:
|
| Default Value | No external identity resource attributes will be exposed to the client. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Identity Authenticators:
dsconfig list-identity-authenticators
[--property {propertyName}] ...
To view the configuration for an existing Identity Authenticator:
dsconfig get-identity-authenticator-prop
--authenticator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Identity Authenticator:
dsconfig set-identity-authenticator-prop
--authenticator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new External Identity Authenticator:
dsconfig create-identity-authenticator
--authenticator-name {name}
--type external
[--set {propertyName}:{propertyValue}] ...
To delete an existing Identity Authenticator:
dsconfig delete-identity-authenticator
--authenticator-name {name}