Unify and manage your data

OpenID Connect configuration - FAQ

Find the answers to Frequently Asked Questions (FAQs) about OpenID Connect (OIDC) Configuration.

  1. How do I set up the OIDC Configuration in Reltio Platform?

    In Reltio, you can now configure OIDC through Console. Go to Console, and click SSO Configuration in the Security section. For more information about configuring OIDC, see SSO Configuration Based on OIDC.

  2. Which APIs must be used to configure OIDC?

    To configure OIDC, update external provider configuration in a customer record using PUT https://auth.reltio.com/oauth/customers/{{customer}}/externalProviderConfig/{{tenant}} .

  3. What do I need from IdP to set up OIDC?

    The following information from IdP is required to set up OIDC:

    Table 1. Requirements to set up OIDC
    PropertyValueDescriptionExample
    clientId External OAuth client IDreltio
    clientSecretExternal OAuth client secretqwerty12
    loginEndpointExternal OAuth user login endpoint URIxxx
    revokeEndpointExternal OAuth revoke token endpoint URIxxx
    tokenEndpointExternal OAuth token endpoint URIxxx
    userEmailMappingEmailMapping user property from external OAuth userInfoEndpoint to Reltio emailEmail
    userGroupsMappingMapping user property from external OAuth userInfoEndpoint to Reltio groupsADGroups
    userIdMappingEmail

    Mapping user property from external OAuth userInfoEndpoint to Reltio username. If you have chosen Email for Github, then the Email must be a public one.

    sub
    userInfoEndpointExternal OAuth user info endpoint URIxxx
    userRoleMappingMapping user property from external OAuth userInfoEndpoint to Reltio roles. ADRoles
    vendorVendor specific implementation, which can be:
    • null for Google, ADFS 2.0
    • github for GitHub
    • ping for PingFederate
    ping
  4. What must I configure in IdP?

    To successfully set up OIDC, you must configure the following in IdP:

    Table 2. IdP Configuration for OIDC set up
    PropertyValueDescriptionMandatoryExample
    callbackEndpoint Reltio OAuth callback URI, which must be configured in IDPYeshttps://auth-az.reltio.com/oauth/callback
    userEmailMappingEmailMapping user property from external OAuth userInfoEndpoint to Reltio emailYesEmail
    userIdMappingEmail

    Mapping user property from external OAuth userInfoEndpoint to Reltio username. If Email is chosen for Github, then the Email must be a public one.

    Nosub
    userRoleMappingRoles

    Mapping user property from external OAuth userInfoEndpoint to Reltio roles, which is applicable only if role assignment is managed by IDP.

    NoADRoles
    userGroupMappingGroups

    Mapping user property from external OAuth userInfoEndpoint to Reltio groups, which is applicable only if role assignment is managed by IDP.

    NoADGroups
  5. Can I have different IdP Configurations for different tenants?

    Yes, you can have different IdP configurations for each tenant. However, note that you can have only one IdP configuration for a tenant.

  6. What should I do if I face issues after IdP configuration?

    If you face any issues after configuring IdP, capture the HAR file and then create a support ticket for further investigation.

  7. Can I import roles from IdP into Reltio?

    Yes, you can import roles from IdP into Reltio by specifying the userRoleMapping attribute. Make sure these roles are valid in the Reltio platform. While importing, IdP will send an additional attribute with the ROLE value. Multiple roles can be imported by separating them using a comma.

  8. What should I do to configure Azure 2.0 as IdP?
    A sample configuration to configure Azure 2.0 as IdP is given below:
    {
    "id": "xxx",
    "tenants": [
    "xxx"
    ],
    "description": "SSO configuration",
    "passwordPolicy": {},
    "externalProviderConfig": {
    "loginEndpoint": "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize",
    "tokenEndpoint": "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/token",
    "userInfoEndpoint": "https://graph.microsoft.com",
    "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
    "clientId": "?????",
    "clientSecret": "??????",
    "scope": "openid profile",
    "userIdMapping": "userPrincipalName",
    "userEmailMapping": "userPrincipalName",
    "defaultNewUserRoleList": [
    "ROLE_USER",
    "ROLE_API"
    ]
    },
    "caseSensitiveLoginEnabled": true
    }
  9. What should I do to configure Okta as IdP ?
    A sample configuration to configure Okta as IdP is given below:
    {
    "providerId": "OktaProvider",
    "vendor": "okta",
    "loginEndpoint": "https://xxx.okta.com/oauth2/v1/authorize",
    "tokenEndpoint": "https://xxx.okta.com/oauth2/v1/token",
    "userInfoEndpoint": "https://xxx.okta.com/oauth2/v1/userinfo",
    "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
    "clientId": "xxx",
    "clientSecret": "xxxxxxxxxx",
    "scope": "openid profile email",
    "userIdMapping": "given_name",
    "userEmailMapping": "email",
    "userRoleMapping": "memberOf",
    "userRoleRegexp": "(AZ_[a-zA-Z0-9_]*),*?",
    "defaultNewUserRoleList": [
    "ROLE_UI",
    "ROLE_API"
    ],
    "tenants": [
    "xxx"
    ],
    "jwt": false,
    "defaultGroups": [],
    "roleEnabled": false,
    "groupEnabled": false,
    "sendClientCredentialsInBody": false
    }
  10. What should I do to configure Ping Identity as IdP?
    A sample configuration to configure Ping Identity as IdP is given below:
    {
        "id": "xxxxx",
        "tenants": [
          "xx"
        ],
        "description": "customer",
        "passwordPolicy": {},
        "externalProviderConfig": {
          "vendor": "ping",
          "loginEndpoint": "https://xxx/as/authorization.oauth2",
          "tokenEndpoint": "https://xxx/as/token.oauth2",
          "userInfoEndpoint": "https://xxx/idp/userinfo.openid",
          "revokeEndpoint": "https://xxx/revoke_token.oauth2",
          "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
          "clientId": "xxxxx",
          "clientSecret": "xxxx",
          "scope": "openid profile email",
          "userIdMapping": "sub",
          "defaultNewUserRoleList": [
            "ROLE_USER",
            "ROLE_API"
          ],
          "userRoleMapping":"ADRoles",
          "userRoleRegexp":"CN=([A-Z_]*),.*",
          "caseSensitiveLoginEnabled": false
        }
      }
  11. Can I configure SSO to enable RDM tenants also?
    Yes, you can use the same configuration used for the MDM tenants by adding the RDM tenant ID into the Tenants array in externalProviderConfig. A sample is given below.
    "externalProviderConfig: : {
                ........
                "tenants": ["RDM Tenant ID"]
    }