OpenID Connect configuration - FAQ
Find the answers to Frequently Asked Questions (FAQs) about OpenID Connect (OIDC) Configuration.
- How do I set up the OIDC Configuration in Reltio Platform?
In Reltio, you can now configure OIDC through Console. Go to Console, and click SSO Configuration in the Security section. For more information about configuring OIDC, see SSO Configuration Based on OIDC.
- Which APIs must be used to configure OIDC?
To configure OIDC, update external provider configuration in a customer record using
PUT https://auth.reltio.com/oauth/customers/{{customer}}/externalProviderConfig/{{tenant}}. - What do I need from IdP to set up OIDC?
The following information from IdP is required to set up OIDC:
Table 1. Requirements to set up OIDC Property Value Description Example clientId External OAuth client ID reltio clientSecret External OAuth client secret qwerty12 loginEndpoint External OAuth user login endpoint URI xxx revokeEndpoint External OAuth revoke token endpoint URI xxx tokenEndpoint External OAuth token endpoint URI xxx userEmailMapping Email Mapping user property from external OAuth userInfoEndpoint to Reltio email Email userGroupsMapping Mapping user property from external OAuth userInfoEndpoint to Reltio groups ADGroups userIdMapping Email Mapping user property from external OAuth userInfoEndpoint to Reltio username. If you have chosen Email for Github, then the Email must be a public one.
sub userInfoEndpoint External OAuth user info endpoint URI xxx userRoleMapping Mapping user property from external OAuth userInfoEndpoint to Reltio roles. ADRoles vendor Vendor specific implementation, which can be: - null for Google, ADFS 2.0
- github for GitHub
- ping for PingFederate
ping - What must I configure in IdP?
To successfully set up OIDC, you must configure the following in IdP:
Table 2. IdP Configuration for OIDC set up Property Value Description Mandatory Example callbackEndpoint Reltio OAuth callback URI, which must be configured in IDP Yes https://auth-az.reltio.com/oauth/callback userEmailMapping Email Mapping user property from external OAuth userInfoEndpoint to Reltio email Yes Email userIdMapping Email Mapping user property from external OAuth userInfoEndpoint to Reltio username. If Email is chosen for Github, then the Email must be a public one.
No sub userRoleMapping Roles Mapping user property from external OAuth userInfoEndpoint to Reltio roles, which is applicable only if role assignment is managed by IDP.
No ADRoles userGroupMapping Groups Mapping user property from external OAuth userInfoEndpoint to Reltio groups, which is applicable only if role assignment is managed by IDP.
No ADGroups - Can I have different IdP Configurations for different tenants?
Yes, you can have different IdP configurations for each tenant. However, note that you can have only one IdP configuration for a tenant.
- What should I do if I face issues after IdP configuration?
If you face any issues after configuring IdP, capture the HAR file and then create a support ticket for further investigation.
- Can I import roles from IdP into Reltio?
Yes, you can import roles from IdP into Reltio by specifying the userRoleMapping attribute. Make sure these roles are valid in the Reltio platform. While importing, IdP will send an additional attribute with the ROLE value. Multiple roles can be imported by separating them using a comma.
- What should I do to configure Azure 2.0 as IdP?
A sample configuration to configure Azure 2.0 as IdP is given below:
{ "id": "xxx", "tenants": [ "xxx" ], "description": "SSO configuration", "passwordPolicy": {}, "externalProviderConfig": { "loginEndpoint": "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize", "tokenEndpoint": "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/token", "userInfoEndpoint": "https://graph.microsoft.com", "callbackEndpoint": "https://auth.reltio.com/oauth/callback", "clientId": "?????", "clientSecret": "??????", "scope": "openid profile", "userIdMapping": "userPrincipalName", "userEmailMapping": "userPrincipalName", "defaultNewUserRoleList": [ "ROLE_USER", "ROLE_API" ] }, "caseSensitiveLoginEnabled": true } - What should I do to configure Okta as IdP ?
A sample configuration to configure Okta as IdP is given below:
{ "providerId": "OktaProvider", "vendor": "okta", "loginEndpoint": "https://xxx.okta.com/oauth2/v1/authorize", "tokenEndpoint": "https://xxx.okta.com/oauth2/v1/token", "userInfoEndpoint": "https://xxx.okta.com/oauth2/v1/userinfo", "callbackEndpoint": "https://auth.reltio.com/oauth/callback", "clientId": "xxx", "clientSecret": "xxxxxxxxxx", "scope": "openid profile email", "userIdMapping": "given_name", "userEmailMapping": "email", "userRoleMapping": "memberOf", "userRoleRegexp": "(AZ_[a-zA-Z0-9_]*),*?", "defaultNewUserRoleList": [ "ROLE_UI", "ROLE_API" ], "tenants": [ "xxx" ], "jwt": false, "defaultGroups": [], "roleEnabled": false, "groupEnabled": false, "sendClientCredentialsInBody": false } - What should I do to configure Ping Identity as IdP?
A sample configuration to configure Ping Identity as IdP is given below:
{ "id": "xxxxx", "tenants": [ "xx" ], "description": "customer", "passwordPolicy": {}, "externalProviderConfig": { "vendor": "ping", "loginEndpoint": "https://xxx/as/authorization.oauth2", "tokenEndpoint": "https://xxx/as/token.oauth2", "userInfoEndpoint": "https://xxx/idp/userinfo.openid", "revokeEndpoint": "https://xxx/revoke_token.oauth2", "callbackEndpoint": "https://auth.reltio.com/oauth/callback", "clientId": "xxxxx", "clientSecret": "xxxx", "scope": "openid profile email", "userIdMapping": "sub", "defaultNewUserRoleList": [ "ROLE_USER", "ROLE_API" ], "userRoleMapping":"ADRoles", "userRoleRegexp":"CN=([A-Z_]*),.*", "caseSensitiveLoginEnabled": false } } - Can I configure SSO to enable RDM tenants also?
Yes, you can use the same configuration used for the MDM tenants by adding the RDM tenant ID into the Tenants array in externalProviderConfig. A sample is given below.
"externalProviderConfig: : { ........ "tenants": ["RDM Tenant ID"] }