Accelerate the Value of Data

Set up an IdP for OAuth/OIDC

Learn about configuring an external identity provider as an Authorization Server.

Do you want to use a third-part OAuth 2.0 or OpenID Connect (OIDC) Identity Provider (IdP) as an Authorization Server to enable Single Sign On (SSO) to the Reltio Connected Data Platform? If so, configure an endpoint for the external IdP, so it can interact with the Reltio Hub and OAuth services as an Authorization Server. For more information, see topic OAuth 2.0/OIDC authentication flow.

External IdP endpoint configuration

The IdP endpoint configuration takes the following form. For an explanation of values to provide, see the following table in this topic. For specific configuration details, see the sub topics for a supported IdP.

POST http://{{oauth}}/oauth/customers
Authorization Bearer {{admin_token}}
 
[
  {
    "id": "Github",
    "tenants": ["github"],
    "description": "customer",
    "passwordPolicy": {},
    "externalProviderConfig": {
        "vendor": "github",
        "loginEndpoint" : "https://github.com/login/oauth/authorize",
        "tokenEndpoint": "https://github.com/login/oauth/access_token",
        "userInfoEndpoint": "https://api.github.com/user",
        "revokeEndpoint": "https://api.github.com/applications",
        "callbackEndpoint": "http://{{oauth}}/oauth/callback",
        "clientId": "???????",
        "clientSecret": "??????????",
        "externalClientId" : "???????",
        "scope": "email",
        "defaultNewUserRoleList": ["ROLE_API", "ROLE_USER"],
        "userGroupsMapping": "groups",
        "userGroupRegExp": "OU=([a-zA-Z0-9_]*).*?",
        "defaultGroups": ["QA_Group","Dev_Group"]
    }
  }
  ]

External IdP configuration properties

External provider properties specified within the externalProviderConfig section are listed in the table below.

PropertyExampleDefault ValueDescription
vendor ping Identifier for vendor-specific implementation:

For details of IdPs you can use, see topic .

loginEndpoint https://pingtest.<example>.com/as/authorization.oauth2 External OAuth user login endpoint URI.
tokenEndpoint https://pingtest.<example>.com/as/token.oauth2 External OAuth token endpoint URI.
userInfoEndpoint https://pingtest.<example>.com/idp/userinfo.openid External OAuth user info endpoint URI. The endpoint is used to get user information (along with user roles defined in IdP) after a token is obtained.
revokeEndpoint https://pingtest.<example>.com/as/revoke_token.oauth2 External OAuth revoke token endpoint URI.
callbackEndpoint https://auth-<example>.reltio.com/oauth/callback Reltio OAuth callback URI.
clientId reltio External OAuth client ID.
clientSecret example12 External OAuth client secret.
scope openid profile email email Scope required from the external Authorization Server. Defines which information the server should include in the userInfoEndpoint response, as a list of space-separated OAuth scopes. This list can be specific for each vendor:
userIdMapping sub email Mapping user property: external OAuth userInfoEndpoint to Reltio username.
Note: If "email" is chosen for GitHub, the email should be public.
userEmailMapping email email Mapping user property: external OAuth userInfoEndpoint to Reltio email.
defaultNewUserRoleList ["ROLE_API", "ROLE_USER"] The list of roles that each new user will receive on first log in.
userRoleMapping ADGroups Mapping user property from external OAuth userInfoEndpoint to Reltio roles.
userRoleRegexp CN=([A-Z_]*),.* ([-a-zA-Z0-9_]*),*? Extracts roles based on regular expression.

The expression must have one regexp group to return the name of the role. If it's assumed that multiple roles can be returned from the IdP, the expression must include the delimiter (e.g. comma).

jwt false false If true, then JWT token will be verified and decoded in the Reltio Auth server itself. Otherwise, Reltio Auth server will perform the user-info endpoint calls to SSO server to verify and decode the token in the SSO provider server itself. If true, define the following properties in jwtSignatureConfig:
  • algorithm: algorithm to be used for verifying the JWT token signature. Currently, Reltio supports only "RSA256" which is the most widely recommended one.
  • issuer: URL of SSO provider added as part of the token.
  • jwksURL: URL to download the public keys JSON of the SSO server. This is needed for verifying the Id token.
sendClientCredentialsInBody true false Enables sending the client credentials in the Request Body. By default, when the value is false or the property is not specified, the client credentials are sent in the Authorization Header.
defaultGroups["QA_Group", "Dev_Group"]-The list of group that will receive each new user on first log in
userGroupsMappingADGroups-Mapping user property from external OAuth userInfoEndpoint to Reltio groups
userGroupRegExpCN=([A-Z_]*),.* ([-a-zA-Z0-9_]*),*?-Extracts groups based on regular expression.

The expression must have one regexp group to return the name of the group. If it's assumed that multiple groups can be returned from the IdP, the expression must include the delimiter (e.g. comma).