Cloudera Docs

Configuring OpenID Connect SSO

Edge Flow Manager supports OpenID Connect (OIDC), an industry standard for using a third party as an identity provider for web applications. Learn about the properties that you need to set for configuring OIDC SSO.

OIDC is sometimes referred to as OAuth 2 login because it is an authentication protocol that extends the authorization protocols in OAuth 2. In the terminology of OIDC, Edge Flow Manager is the Relying Party and the SSO identity provider is the OpenID Provider.

Before configuring Edge Flow Manager, you should first set up an OIDC client application configuration in your SSO identity provider. For more information about how to do this, see SSO identity provider setup.

Before configuring OIDC, Edge Flow Manager should already be configured to use TLS. OIDC authentication requires passing an access token to Edge Flow Manager that is vulnerable to compromise if TLS is not enabled, and therefore Edge Flow Manager does not allow using OIDC authentication without TLS enabled. For more information on enabling TLS in Edge Flow Manager, see TLS configuration for Edge Flow Manager.

To enable OIDC in Edge Flow Manager, configure the following properties in the efm.properties file:
efm.security.user.oidc.enabled=true
efm.security.user.oidc.issuerUri=https://example.okta.com/oauth2
efm.security.user.oidc.clientId=efm
efm.security.user.oidc.clientSecret=abc123...
efm.security.user.oidc.scopes=profile,email,groups
efm.security.user.oidc.usernameAttribute=email
efm.security.user.oidc.displayNameAttribute=name
efm.security.user.oidc.groupAttribute=groups
Where,
  • efm.security.user.oidc.enabled

    Set to true to enable OIDC authentication.

  • efm.security.user.oidc.issuerUri

    The OpenID Provider base URI. Consult your OpenID Provider documentation for the correct value.

  • efm.security.user.oidc.clientId

    It must match the configured client application name from the OpenID Provider.

  • efm.security.user.oidc.clientSecret

    It must match the configured client secret from the OpenID Provider.

  • efm.security.user.oidc.scopes

    It controls what user attributes are provided from the OpenID Provider to Edge Flow Manager when the user authenticates.

  • efm.security.user.oidc.usernameAttribute

    It controls which of the user attributes provided to Edge Flow Manager from the OpenID Provider is used as the Edge Flow Manager User identity. Typically this is the email address attribute.

  • efm.security.user.oidc.displayNameAttribute

    If this property is provided and efm.security.user.auth.autoRegisterNewUsers is enabled, it controls which user attribute is mapped to the Edge Flow Manager User Display Name field when the user first logs into Edge Flow Manager.

  • efm.security.user.oidc.groupAttribute

    It must match the configured Group Claim Name from the OpenID Provider.

Edge Flow Manager supports OpenID Connect Discovery as a way to discover additional details it needs directly from the OpenID Provider. For this to work, the OpenID Provider must host a discovery endpoint at {issuerUri}/.well-known/openid-configuration. This is supported by all major, modern SSO vendors offering OpenID Connect. If this endpoint is not available over the network at runtime, Edge Flow Manager fails to start. If this is not possible in your environment, Edge Flow Manager offers a set of staticConfig properties, that you need to configure, as an alternative to OpenID Connect Discovery over the network:
efm.security.user.oidc.staticConfig.enabled=false
efm.security.user.oidc.staticConfig.authorizationUri=
efm.security.user.oidc.staticConfig.tokenUri=
efm.security.user.oidc.staticConfig.userInfoUri=
efm.security.user.oidc.staticConfig.jwkSetUri=

When these properties are enabled, OpenID Connect Discovery is not performed. So, these act as an override for configuration that would normally be dynamically discovered. The correct values to use can be provided by the OpenID Provider.