Set up an IdP for OAuth/OIDC

Learn about configuring an external identity provider as an Authorization Server.

Do you want to use a third-part OAuth 2.0 or OpenID Connect (OIDC) Identity Provider (IdP) as an Authorization Server to enable Single Sign On (SSO) to the Reltio Connected Data Platform? If so, configure an endpoint for the external IdP, so it can interact with the Reltio Hub and OAuth services as an Authorization Server. For more information, see topic OAuth 2.0/OIDC authentication flow.

External IdP endpoint configuration

The IdP endpoint configuration takes the following form. For an explanation of values to provide, see the following table in this topic. For specific configuration details, see the sub topics for a supported IdP.

POST http://{{oauth}}/oauth/customers
Authorization Bearer {{admin_token}}
 
[
  {
    "id": "Github",
    "tenants": ["github"],
    "description": "customer",
    "passwordPolicy": {},
    "externalProviderConfig": {
        "vendor": "github",
        "loginEndpoint" : "https://github.com/login/oauth/authorize",
        "tokenEndpoint": "https://github.com/login/oauth/access_token",
        "userInfoEndpoint": "https://api.github.com/user",
        "revokeEndpoint": "https://api.github.com/applications",
        "callbackEndpoint": "http://{{oauth}}/oauth/callback",
        "clientId": "???????",
        "clientSecret": "??????????",
        "externalClientId" : "???????",
        "scope": "email",
        "defaultNewUserRoleList": ["ROLE_API", "ROLE_USER"],
        "userGroupsMapping": "groups",
        "userGroupRegExp": "OU=([a-zA-Z0-9_]*).*?",
        "defaultGroups": ["QA_Group","Dev_Group"]
    }
  }
  ]

External IdP configuration properties

External provider properties specified within the externalProviderConfig section are listed in the table below.


Property	Example	Default Value	Description
`vendor`	`ping`		Identifier for vendor-specific implementation: null for Azure and Google Apps "azure" for Active Directory Federation Services (ADFS) "github" for GitHub; "keycloak" for Keycloak "okta" for Okta "ping" for PingFederate For details of IdPs you can use, see topic .
loginEndpoint	`https://pingtest.<example>.com/as/authorization.oauth2`		External OAuth user login endpoint URI.
tokenEndpoint	`https://pingtest.<example>.com/as/token.oauth2`		External OAuth token endpoint URI.
userInfoEndpoint	`https://pingtest.<example>.com/idp/userinfo.openid`		External OAuth user info endpoint URI. The endpoint is used to get user information (along with user roles defined in IdP) after a token is obtained.
revokeEndpoint	`https://pingtest.<example>.com/as/revoke_token.oauth2`		External OAuth revoke token endpoint URI.
callbackEndpoint	`https://auth-<example>.reltio.com/oauth/callback`		Reltio OAuth callback URI.
clientId	`reltio`		External OAuth client ID.
clientSecret	`example12`		External OAuth client secret.
scope	`openid profile email`	`email`	Scope required from the external Authorization Server. Defines which information the server should include in the `userInfoEndpoint` response, as a list of space-separated OAuth scopes. This list can be specific for each vendor: `openid profile email` for PingFederate `email` or null for Google Apps and GitHub
userIdMapping	`sub`	`email`	Mapping user property: external OAuth `userInfoEndpoint` to Reltio `username`. Note: If "email" is chosen for GitHub, the email should be public.
userEmailMapping	`email`	`email`	Mapping user property: external OAuth `userInfoEndpoint` to Reltio email.
defaultNewUserRoleList	`["ROLE_API", "ROLE_USER"]`		The list of roles that each new user will receive on first log in.
userRoleMapping	`ADGroups`		Mapping user property from external OAuth `userInfoEndpoint` to Reltio roles.
userRoleRegexp	`CN=([A-Z_]),.` `([-a-zA-Z0-9_]),?`		Extracts roles based on regular expression. The expression must have one regexp group to return the name of the role. If it's assumed that multiple roles can be returned from the IdP, the expression must include the delimiter (e.g. comma).
caseSensitiveLoginEnabled	`false`	`true`	Enables case-sensitive log in.
jwt	`false`	`false`	If `true`, then JWT token will be verified and decoded in the Reltio Auth server itself. Otherwise, Reltio Auth server will perform the user-info endpoint calls to SSO server to verify and decode the token in the SSO provider server itself. If `true`, define the following properties in `jwtSignatureConfig`: `algorithm`: algorithm to be used for verifying the JWT token signature. Currently, Reltio supports only "RSA256" which is the most widely recommended one. `issuer`: URL of SSO provider added as part of the token. `jwksURL`: URL to download the public keys JSON of the SSO server. This is needed for verifying the Id token.
sendClientCredentialsInBody	`true`	`false`	Enables sending the client credentials in the Request Body. By default, when the value is `false` or the property is not specified, the client credentials are sent in the Authorization Header.
defaultGroups	`["QA_Group", "Dev_Group"]`	-	The list of group that will receive each new user on first log in
userGroupsMapping	`ADGroups`	-	Mapping user property from external OAuth `userInfoEndpoint` to Reltio groups
userGroupRegExp	`CN=([A-Z_]),.` `([-a-zA-Z0-9_]),?`	-	Extracts groups based on regular expression. The expression must have one regexp group to return the name of the group. If it's assumed that multiple groups can be returned from the IdP, the expression must include the delimiter (e.g. comma).

Accelerate the Value of Data

Set up an IdP for OAuth/OIDC

External IdP endpoint configuration

External IdP configuration properties

Footer