Skip to main content

Edit OpenID Connect

OpenID Connect (OIDC) is a simple identity layer added to OAuth 2.0 to support single sign-on between two services. It enables API clients to verify the identity of a user based on the authentication performed by an authorization server, and to obtain basic profile information about the user in an interoperable, REST-like manner.

To edit OpenID Connect

  1. Go to Manage > Billing and Distribution > Products > productName | Edit > Integration | Edit Authentication. The Edit Authentication page opens.
  2. (Optional) If the product you are editing is an add-on product, two additional toggle settings appear at the top of the Single Sign-On pane. Note that you can only select one of them. The optional settings are:
    • Use Parent Application Authentication Method—Select this setting if you want the product to inherit the same authentication settings as the parent product with which the add-on is associated.
    • Hide Application Tile—Select this setting to hide the application tile on the user's MyApps page. Note that this also turns off single sign-on for this product.
      Note: If you configure either of the settings described in this step, all other authentication fields described in the following steps disappear. Proceed to step 11 to save your settings.
  3. From the drop-down list, select OpenID Connect. This establishes OpenID Connect as the protocol used to authenticate users of your product, and opens additional fields that must be completed.
  4. Select a Client Creation Method. From the drop-down list, choose the model that best matches your system requirements:
    • One per subscription—This is the default setting. It supports a unique client configuration for each subscription.
    • One per marketplace—A single client configuration is shared across all subscriptions within a single marketplace.
    • One per environment—A single client configuration is shared across all subscriptions in all marketplaces within a single AppDirect cloud environment.
      Note: This setting cannot be changed after the product is published. Also, a client configuration includes the client ID and secret. For an example of a generated client configuration, see Example D-OIDC configuration in the OpenID Connect authentication event examples topic.
  5. Define the allowed OAuth 2 grants types for this product.
    • Authorization Code—This grant type is mandatory and cannot be cleared. AppDirect only supports the authorization code flow for single sign-on.
    • Refresh Token (optional)—When enabled, a refresh token is returned from the token endpoint, along with the original access and ID tokens. This refresh token can be used by the Developer to refresh the access token. The refresh token is valid for up to three weeks.
      Note: After you publish the product, you cannot change this setting.
  6. Enter the redirect URL. This defines the OAuth 2 redirect URL where the authorization code is sent during SSO.
  7. Configure the allowed scopes for this product. This defines what user information the API client can access.
    • OpenID (required)— The minimum scope required for OpenID Connect. This cannot be unchecked. Note that if this is the only scope selected, the id token and User Info endpoint will only contain the sub claim.
    • Basic Info (optional)—When enabled, email and profile scopes are allowed for this product. An access token with these scopes is returned and can be used at the /oauth2/userinfo endpoint to retrieve additional information about the user (for example, first/last name, email).
  8. Configure the initiate login URL — Enter the URL in the Developer system where the user is redirected to initiate SSO.
    Note the following about this functionality:
    OpenID Connect is a service provider-initiated (SP-initiated) protocol. To learn more about third party-initiated login, see the OpenID Connect specification.
    When a user clicks their MyApps tile, the marketplace issuer identifier is automatically sent as part of the request as a query parameter. Following is a sample issuer value as it could appear in this field:
    <inititate_login_url>?iss=https://marketplace.exampletelco.com The issuer query parameter can be useful to determine from which AppDirect marketplace (that is, which OpenID Connect provider) the SSO request originated.
    In some cases a “target_link_uri” query parameter is also automatically sent in this request. The value of this query parameter represents the location to which a user should be redirected after they successfully log in. The italics text in the following shows an example of this:
    <inititate_login_url>?iss=https://marketplace.exampletelco.com_&targetlinkuri=https://marketplace.exampletelco.com/deeplink_

📝 Note
You can optionally incorporate placeholder values for the Initiate Login URL field. Placeholder values are useful when a Developer's login URL must be unique for each subscription—for example, when a Developer selects the One per subscription client creation method. During single sign-on (SSO), the placeholder is replaced with the unique account identifier that was provided by the Developer during the subscription order event. When no placeholder is used, the URL that is configured identifies only the marketplace from which the SSO request originated. For more information, see Incorporate placeholders to learn more.

  1. (Optional). If the product is defined as importable when it is created, an Import Setup Form pane appears on the Edit Authentication page. The purpose of this form is to collect the information necessary to connect the application to the company when Company Administrators are importing an application. For more information about how to configure this form, see Configure the Import Setup Form.
  2. Click Save.

For technical OpenID Connect integration topics, see Integrate OpenID Connect.

Was this page helpful?

Tell us more…

Help us improve our content. Responses are anonymous.

Thanks

We appreciate your feedback!