Configuration of OpenID Connect SSO
Edge Flow Manager (EFM) supports OpenID Connect (OIDC), an industry standard for using a third party as an identity provider for web applications such as EFM. Learn about the properties that you need to set for configuring OIDC SSO.
OIDC is sometimes referred to as OAuth 2 login because it is an authentication
protocol that extends the authorization protocols in OAuth 2. In the terminology of OIDC, EFM is
Relying Party and the SSO identity provider is the
Before configuring EFM, you should first set up an OIDC client application configuration in your SSO identity provider. For more information about how to do this, see SSO identity provider setup.
Before configuring OIDC, EFM should already be configured to use TLS. OIDC authentication requires passing an access token to EFM that is vulnerable to compromise if TLS is not enabled, and therefore EFM does not allow using OIDC authentication without TLS enabled. For more information on enabling TLS in EFM, see TLS configuration for EFM.
efm.security.user.oidc.enabled=true efm.security.user.oidc.issuerUri=https://example.okta.com/oauth2 efm.security.user.oidc.clientId=efm efm.security.user.oidc.clientSecret=abc123... efm.security.user.oidc.scopes=profile,email efm.security.user.oidc.usernameAttribute=email efm.security.user.oidc.displayNameAttribute=name
trueto enable OIDC authentication.
The OpenID Provider base URI. Consult your OpenID Provider documentation for the correct value.
Must match the configured client application name from the OpenID Provider.
Must match the configured client secret from the OpenID Provider.
Controls what user attributes are provided from the OpenID Provider to EFM when the user authenticates.
Controls which of the user attributes provided to EFM from the OpenID Provider is used as the EFM User identity. Typically this is the email address attribute.
If this property is provided and
efm.security.user.auth.autoRegisterNewUsersis enabled, then it controls which user attribute is mapped to the EFM User Display Name field when the user first logs into EFM.
}/.well-known/openid-configuration. This is supported by all major, modern SSO vendors offering OpenID Connect. If this endpoint is not available over the network at runtime, EFM fails to start. If this is not possible in your environment, EFM offers a set of
staticConfigproperties, that you need to configure, as an alternative to OpenID Connect Discovery over the network:
efm.security.user.oidc.staticConfig.enabled=false efm.security.user.oidc.staticConfig.authorizationUri= efm.security.user.oidc.staticConfig.tokenUri= efm.security.user.oidc.staticConfig.userInfoUri= efm.security.user.oidc.staticConfig.jwkSetUri=
When these properties are enabled, OpenID Connect Discovery is not performed. So, these act as an override for configuration that would normally be dynamically discovered. The correct values to use can be provided by the OpenID Provider.