ID Token Validator

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

Note: this is an abstract component that cannot be instantiated.

ID Token Validators validate ID tokens issued by an OpenID Connect provider used for single sign-on (SSO).

Direct Subcomponents Relations from This Component Relations to This Component Properties dsconfig Usage

Direct Subcomponents

The following ID Token Validators are available in the server :

These ID Token Validators inherit from the properties described below.

Relations from This Component

The following components have a direct composition relation from ID Token Validators:

The following components have a direct aggregation relation from ID Token Validators:

Relations to This Component

The following components have a direct aggregation relation to ID Token Validators:

Properties

The properties supported by this managed object are as follows:


General Configuration Basic Properties: Advanced Properties:
 description  subject-claim-name
 enabled
 identity-mapper
 issuer-url
 clock-skew-grace-period
 evaluation-order-index
Token Signing Basic Properties: Advanced Properties:
 None  jwks-cache-duration

Basic Properties

description

Property Group
General Configuration
Description
A description for this ID Token Validator
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Property Group
General Configuration
Description
Indicates whether this ID Token Validator is enabled for use in the Directory Server.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

identity-mapper

Property Group
General Configuration
Description
Specifies the name of the Identity Mapper that should be used to correlate an ID token subject value to a user entry. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property.
Default Value
None
Allowed Values
The DN of any Identity Mapper.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

issuer-url

Property Group
General Configuration
Description
Specifies the OpenID Connect provider's issuer URL. This value uniquely identifies the OpenID Connect provider. An OpenID Connect provider will always provide its issuer URL as the value of an ID token's iss claim. If the value configured here does not exactly match the actual value in an ID token's iss claim, then the ID token will be considered invalid.

In addition, if the relying party (for example, the Administrative Console) provides an issuer URL via an OAuth Bearer SASL bind, then that value must exactly match this issuer URL.

Default Value
None
Allowed Values
An absolute URL, or a relative URL
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

clock-skew-grace-period

Property Group
General Configuration
Description
Specifies the amount of clock skew that is tolerated by the ID Token Validator when evaluating whether a token is within its valid time interval. The duration specified by this parameter will be subtracted from the token's not-before (nbf) time and added to the token's expiration (exp) time, if present, to allow for any time difference between the local server's clock and the token issuer's clock.
Default Value
5 s
Allowed Values
A duration. Lower limit is 0 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

evaluation-order-index

Property Group
General Configuration
Description
When multiple ID Token Validators are defined for a single Directory Server, this property determines the order in which the ID Token Validators are consulted. Values of this property must be unique among all ID Token Validators defined within Directory Server but not necessarily contiguous. ID Token Validators with lower values will be evaluated first to determine if they are able to validate the ID token.
Default Value
None
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


Advanced Properties

subject-claim-name (Advanced Property)

Property Group
General Configuration
Description
The name of the token claim that contains the subject; i.e., the authenticated user. This property specifies the token claim that contains the subject, which is the authenticated user identified by the ID token. The subject value is used by the validator's Identity Mapper to look up a matching user entry.

By default, the standard sub claim is used. However, this value can be customized if the ID token contains a more appropriate claim to use for identity correlation.

Default Value
sub
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

jwks-cache-duration (Advanced Property)

Property Group
Token Signing
Description
How often the ID Token Validator should refresh its cache of JWKS token signing keys. The value of this configuration property defines how frequently the ID Token Validator will retrieve the OpenID Connect provider's JWKS public signing keys. If the value is 0, a JWKS request will be performed every time a token validation request is made.
Default Value
2h
Allowed Values
A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured ID Token Validators:

dsconfig list-id-token-validators
     [--property {propertyName}] ...

To view the configuration for an existing ID Token Validator:

dsconfig get-id-token-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing ID Token Validator:

dsconfig set-id-token-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To delete an existing ID Token Validator:

dsconfig delete-id-token-validator
     --validator-name {name}