Cloudera Docs

Configuration of OpenID Connect SSO

Edge Flow Manager (EFM) supports OpenID Connect (OIDC), an industry standard for using a third party as an identity provider for web applications such as EFM. Learn about the properties that you need to set for configuring OIDC SSO.

OIDC is sometimes referred to as OAuth 2 login because it is an authentication protocol that extends the authorization protocols in OAuth 2. In the terminology of OIDC, EFM is the Relying Party and the SSO identity provider is the OpenID Provider.

Before configuring EFM, you should first set up an OIDC client application configuration in your SSO identity provider. For more information about how to do this, see SSO identity provider setup.

Before configuring OIDC, EFM should already be configured to use TLS. OIDC authentication requires passing an access token to EFM that is vulnerable to compromise if TLS is not enabled, and therefore EFM does not allow using OIDC authentication without TLS enabled. For more information on enabling TLS in EFM, see TLS configuration for EFM.

To enable OIDC in EFM, configure the following properties in the efm.properties file:
efm.security.user.oidc.enabled=true
efm.security.user.oidc.issuerUri=https://example.okta.com/oauth2
efm.security.user.oidc.clientId=efm
efm.security.user.oidc.clientSecret=abc123...
efm.security.user.oidc.scopes=profile,email
efm.security.user.oidc.usernameAttribute=email
efm.security.user.oidc.displayNameAttribute=name
Where,
  • efm.security.user.oidc.enabled

    Set to true to enable OIDC authentication.

  • efm.security.user.oidc.issuerUri

    The OpenID Provider base URI. Consult your OpenID Provider documentation for the correct value.

  • efm.security.user.oidc.clientId

    Must match the configured client application name from the OpenID Provider.

  • efm.security.user.oidc.clientSecret

    Must match the configured client secret from the OpenID Provider.

  • efm.security.user.oidc.scopes

    Controls what user attributes are provided from the OpenID Provider to EFM when the user authenticates.

  • efm.security.user.oidc.usernameAttribute

    Controls which of the user attributes provided to EFM from the OpenID Provider is used as the EFM User identity. Typically this is the email address attribute.

  • efm.security.user.oidc.displayNameAttribute

    If this property is provided and efm.security.user.auth.autoRegisterNewUsers is enabled, then it controls which user attribute is mapped to the EFM User Display Name field when the user first logs into EFM.

EFM supports OpenID Connect Discovery as a way to discover additional details it needs directly from the OpenID Provider. For this to work, the OpenID Provider must host a discovery endpoint at {issuerUri}/.well-known/openid-configuration. This is supported by all major, modern SSO vendors offering OpenID Connect. If this endpoint is not available over the network at runtime, EFM fails to start. If this is not possible in your environment, EFM offers a set of staticConfig properties, that you need to configure, as an alternative to OpenID Connect Discovery over the network:
efm.security.user.oidc.staticConfig.enabled=false
efm.security.user.oidc.staticConfig.authorizationUri=
efm.security.user.oidc.staticConfig.tokenUri=
efm.security.user.oidc.staticConfig.userInfoUri=
efm.security.user.oidc.staticConfig.jwkSetUri=

When these properties are enabled, OpenID Connect Discovery is not performed. So, these act as an override for configuration that would normally be dynamically discovered. The correct values to use can be provided by the OpenID Provider.