Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
An OIDC External Identity Provider authenticates users and retrieves user claims using OpenID Connect.
↓Parent Component
↓Properties
↓dsconfig Usage
The OIDC External Identity Provider component inherits from the External Identity Provider
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ enabled | |
| ↓ icon-uri | |
| ↓ hostname-verification-method | |
| ↓ key-manager-provider | |
| ↓ trust-manager-provider | |
| ↓ client-id | |
| ↓ client-secret | |
| ↓ scope | |
| ↓ client-auth-method | |
| ↓ issuer | |
| ↓ authorization-endpoint | |
| ↓ token-endpoint | |
| ↓ userinfo-endpoint |
| Description | A description for this External Identity Provider |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the External Identity Provider is enabled. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The icon URI for this External Identity Provider. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The mechanism for checking if the identity provider's hostname matches the name(s) stored inside the server's X.509 certificate. This is only applicable if SSL is being used for connection security. |
| Default Value | strict |
| Allowed Values | allow-all - This mechanism turns hostname verification off. strict - This mechanism works the same way as the Java Runtime Environment. It is also compliant with RFC 2818 for dealing with wildcards. The hostname must match any of the Subject Alternative Names or the first CN. A wildcard can occur in the CN, and in any of the Subject Alternative Names. A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com". |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The OIDC External Identity Provider must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The key manager provider to use if SSL (HTTPS) is to be used for connection-level security. When specifying a value for this property (except when using the Null key manager provider) you must ensure that the external server trusts this server's public certificate by adding this server's public certificate to the external server's trust store. |
| Default Value | The Java Runtime Environment's default key manager will be used |
| Allowed Values | The DN of any Key Manager Provider. The associated key manager provider must exist and must be enabled if SSL is to be used. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The OIDC External Identity Provider must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The trust manager provider to use if SSL (HTTPS) is to be used for connection-level security. |
| Default Value | The Java Runtime Environment's default trust manager will be used |
| Allowed Values | The DN of any Trust Manager Provider. The associated trust manager provider must exist and must be enabled if SSL is to be used. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The OIDC External Identity Provider must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The client ID assigned by the OpenID Connect Provider. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The client secret assigned by the OpenID Connect Provider. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The scopes to request authorization for. The 'openid' scope is always requested and need not be specified here. | ||||||||||||
| Default Value | None | ||||||||||||
| Allowed Values | A string Example values
| ||||||||||||
| Multi-Valued | Yes | ||||||||||||
| Required | No | ||||||||||||
| Admin Action Required | None. Modification requires no further action |
| Description | The method to use when authenticating to the OpenID Connect provider's token endpoint. |
| Default Value | basic |
| Allowed Values | basic - Authenticate using the HTTP Basic scheme where the client ID and secret are used as the username and password. post - Authenticate by including the client ID and secret in the request body. none - Do not authenticate to the token endpoint. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The URL that the OpenID Connect Provider asserts as its Issuer Identifier. The URL should use the https scheme and have no query or fragment component. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The URL of the OpenID Connect Provider's OAuth 2.0 Authorization Endpoint. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The URL of the OpenID Connect Provider's OAuth 2.0 Token Endpoint. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The URL of the OpenID Connect Provider's UserInfo Endpoint. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
To list the configured External Identity Providers:
dsconfig list-external-identity-providers
[--property {propertyName}] ...
To view the configuration for an existing External Identity Provider:
dsconfig get-external-identity-provider-prop
--provider-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing External Identity Provider:
dsconfig set-external-identity-provider-prop
--provider-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new OIDC External Identity Provider:
dsconfig create-external-identity-provider
--provider-name {name}
--type oidc
--set enabled:{propertyValue}
--set client-id:{propertyValue}
--set client-secret:{propertyValue}
--set issuer:{propertyValue}
--set authorization-endpoint:{propertyValue}
--set token-endpoint:{propertyValue}
--set userinfo-endpoint:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing External Identity Provider:
dsconfig delete-external-identity-provider
--provider-name {name}