Configuring OpenID Connect SSO
Edge Flow Manager (EFM) supports OpenID Connect (OIDC), an industry standard for using a third party as an identity provider for web applications such as EFM. Learn about the properties that you need to set for configuring OIDC SSO.
OIDC is sometimes referred to as OAuth 2 login because it is an authentication
protocol that extends the authorization protocols in OAuth 2. In the terminology of OIDC, EFM is
the Relying Party
and the SSO identity provider is the OpenID
Provider
.
Before configuring EFM, you should first set up an OIDC client application configuration in your SSO identity provider. For more information about how to do this, see SSO identity provider setup.
Before configuring OIDC, EFM should already be configured to use TLS. OIDC authentication requires passing an access token to EFM that is vulnerable to compromise if TLS is not enabled, and therefore EFM does not allow using OIDC authentication without TLS enabled. For more information on enabling TLS in EFM, see TLS configuration for EFM.
efm.properties
file:efm.security.user.oidc.enabled=true
efm.security.user.oidc.issuerUri=https://example.okta.com/oauth2
efm.security.user.oidc.clientId=efm
efm.security.user.oidc.clientSecret=abc123...
efm.security.user.oidc.scopes=profile,email,groups
efm.security.user.oidc.usernameAttribute=email
efm.security.user.oidc.displayNameAttribute=name
efm.security.user.oidc.groupAttribute=groups
efm.security.user.oidc.enabled
Set to
true
to enable OIDC authentication.efm.security.user.oidc.issuerUri
The OpenID Provider base URI. Consult your OpenID Provider documentation for the correct value.
efm.security.user.oidc.clientId
It must match the configured client application name from the OpenID Provider.
efm.security.user.oidc.clientSecret
It must match the configured client secret from the OpenID Provider.
efm.security.user.oidc.scopes
It controls what user attributes are provided from the OpenID Provider to EFM when the user authenticates.
efm.security.user.oidc.usernameAttribute
It controls which of the user attributes provided to EFM from the OpenID Provider is used as the EFM User identity. Typically this is the email address attribute.
efm.security.user.oidc.displayNameAttribute
If this property is provided and
efm.security.user.auth.autoRegisterNewUsers
is enabled, it controls which user attribute is mapped to the EFM User Display Name field when the user first logs into EFM.efm.security.user.oidc.groupAttribute
It must match the configured Group Claim Name from the OpenID Provider.
{
issuerUri
}/.well-known/openid-configuration
.
This is supported by all major, modern SSO vendors offering OpenID Connect. If this endpoint is
not available over the network at runtime, EFM fails to start. If this is not possible in your
environment, EFM offers a set of staticConfig
properties, that you need to
configure, as an alternative to OpenID Connect Discovery over the
network:efm.security.user.oidc.staticConfig.enabled=false
efm.security.user.oidc.staticConfig.authorizationUri=
efm.security.user.oidc.staticConfig.tokenUri=
efm.security.user.oidc.staticConfig.userInfoUri=
efm.security.user.oidc.staticConfig.jwkSetUri=
When these properties are enabled, OpenID Connect Discovery is not performed. So, these act as an override for configuration that would normally be dynamically discovered. The correct values to use can be provided by the OpenID Provider.