Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
Note: this is an abstract component that cannot be instantiated.
ID Token Validators validate ID tokens issued by an OpenID Connect provider used for single sign-on (SSO).
The following ID Token Validators are available in the server :
These ID Token Validators inherit from the properties described below.
The following components have a direct composition relation from ID Token Validators:
The following components have a direct aggregation relation from ID Token Validators:
The following components have a direct aggregation relation to ID Token Validators:
The properties supported by this managed object are as follows:
| General Configuration Basic Properties: | Advanced Properties: |
|---|---|
| description | subject-claim-name |
| enabled | |
| identity-mapper | |
| issuer-url | |
| clock-skew-grace-period | |
| evaluation-order-index | |
| Token Signing Basic Properties: | Advanced Properties: |
| None | jwks-cache-duration |
| Property Group | General Configuration |
| Description | A description for this ID Token Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Indicates whether this ID Token Validator is enabled for use in the Directory Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the name of the Identity Mapper that should be used to correlate an ID token subject value to a user entry. The claim name from which to obtain the subject (i.e. the currently logged-in user) may be configured using the subject-claim-name property. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the OpenID Connect provider's issuer URL. This value uniquely identifies the OpenID Connect provider. An OpenID Connect provider will always provide its issuer URL as the value of an ID token's iss claim. If the value configured here does not exactly match the actual value in an ID token's iss claim, then the ID token will be considered invalid. In addition, if the relying party (for example, the Administrative Console) provides an issuer URL via an OAuth Bearer SASL bind, then that value must exactly match this issuer URL. |
| Default Value | None |
| Allowed Values | An absolute URL, or a relative URL |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | Specifies the amount of clock skew that is tolerated by the ID Token Validator when evaluating whether a token is within its valid time interval. The duration specified by this parameter will be subtracted from the token's not-before (nbf) time and added to the token's expiration (exp) time, if present, to allow for any time difference between the local server's clock and the token issuer's clock. |
| Default Value | 5 s |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | General Configuration |
| Description | When multiple ID Token Validators are defined for a single Directory Server, this property determines the order in which the ID Token Validators are consulted. Values of this property must be unique among all ID Token Validators defined within Directory Server but not necessarily contiguous. ID Token Validators with lower values will be evaluated first to determine if they are able to validate the ID token. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
subject-claim-name (Advanced Property)
| Property Group | General Configuration |
| Description | The name of the token claim that contains the subject; i.e., the authenticated user. This property specifies the token claim that contains the subject, which is the authenticated user identified by the ID token. The subject value is used by the validator's Identity Mapper to look up a matching user entry. By default, the standard sub claim is used. However, this value can be customized if the ID token contains a more appropriate claim to use for identity correlation. |
| Default Value | sub |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jwks-cache-duration (Advanced Property)
| Property Group | Token Signing |
| Description | How often the ID Token Validator should refresh its cache of JWKS token signing keys. The value of this configuration property defines how frequently the ID Token Validator will retrieve the OpenID Connect provider's JWKS public signing keys. If the value is 0, a JWKS request will be performed every time a token validation request is made. |
| Default Value | 2h |
| Allowed Values | A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured ID Token Validators:
dsconfig list-id-token-validators
[--property {propertyName}] ...
To view the configuration for an existing ID Token Validator:
dsconfig get-id-token-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing ID Token Validator:
dsconfig set-id-token-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To delete an existing ID Token Validator:
dsconfig delete-id-token-validator
--validator-name {name}