Configure OpenID Connect (OIDC) based Single Sign-On (SSO).

Watch this video to learn to configure OIDC Single Sign-on.

To configure OIDC Single Sign-On for the tenant:

1. In Console, select SSO Configuration.
2. In the SSO Configuration page, click CONFIGURE OIDC. You will see the SSO - OIDC Configuration page

   The OIDC Configuration page can be divided into the following four sections:

   • Default Settings
   • Roles Settings
   • Groups Settings
   • JSON Web Token Settings
3. Enter the Default Settings as described in Table 1: Default Settings.

   

   Table 1. OIDC Default Settings

   Field	Description
   Vendor	From the dropdown, select the name of the OIDC Identity Provider. This is a mandatory field.
   Client ID	Enter the client ID provided by the Identity Provider (IdP). This is a mandatory field.
   Client Secret	Enter the client secret provided by the IdP. This is a mandatory field.
   User email mapping	Enter the OIDC attribute from the Identity Provider that will be mapped to the email ID in Reltio.
   User ID mapping	Enter the OIDC attribute from the Identity Provider that will be mapped to the user name in Reltio.
   Scope	Enter the scope of the OIDC that is returned in the ID token.

4. Enter the Role Settings as described in Table 2:Role Settings.

   Table 2. OIDC Role Settings

   Field	Description
   Default Roles	Specify the default roles that each new user will receive on logging into the tenant. Click the arrow to view and select roles.
   Manage Roles in IdP	This checkbox denotes whether roles are to be managed in IdP or in Reltio. Select this checkbox to manage roles in IdP. Clear this checkbox to manage roles in Reltio. Note: If you select this checkbox, roles are copied from IdP and Reltio roles are ignored. If you opt to manage roles in Reltio, the IdP roles will not be copied into Reltio and only Reltio roles will be used.
   Roles OIDC attribute	Enter the OIDC attribute that will be mapped to the user roles in Reltio. You will see this field only if you have selected the the Manage Roles in IdP checkbox. This is a mandatory field.
   Role regular expression	Select the regular expression to be used to extract roles from the OIDC attribute. Select .csv to specify comma separated values or enter the regular expression in the field provided. You will see this field only if you have selected the Manage Roles in IdP checkbox.

5. Enter Group Settings as specified in Table 3: OIDC Group Settings.

   

   Table 3. OIDC Group Settings

   Field	Description
   Default Groups	Select the default groups that the user will be part of as soon as they log in to the tenant. Click on the arrow to view and select groups.
   Manage Groups in IdP	This checkbox denotes whether groups are to be managed in IdP or in Reltio. Select this checkbox to manage groups in IdP. Clear this checkbox to manage groups in Reltio. Note: If you select this checkbox, groups are copied from IdP and Reltio groups are ignored. If you opt to manage groups in Reltio, the IdP groups will not be copied into Reltio and only Reltio groups will be used.
   Group OIDC attribute	Enter the OIDC attribute that will be mapped to the groups in Reltio. You will see this field only if you have selected the Manage groups in IdP checkbox. This is a mandatory field.
   Group regular expression	Enter the regular expression to be used to extract groups from the OIDC attribute. Select .csv to specify comma separated values or enter the regular expression in the field provided. You will see this field only if you have selected the Manage groups in IdP checkbox.

6. Under JSON Web Token Settings, select Manage JWT if your Identity Provider is going to provide the JSON Web Token (JWT) token.
   Note: If you select this checkbox, then the JWT token will be verified and decoded in the Reltio Auth server itself. Otherwise, Reltio Auth server will perform the user-info endpoint calls to the SSO server to verify and decode the token in the SSO provider server.

7. The following fields are enabled when you select this check box.

   

   Table 4. OIDC JSON Web Token Settings

   Field	Description
   Manage jwt	Select this checkbox to specify the settings for signing JSON Web Tokens.
   Algorithm	The algorithm used to sign and secure the JWT. Reltio supports only RSA256 which is the most widely recommended one.
   Issuer	Enter the URL of the SSO provider, added as part of the token.
   jwksURL	Enter URL to download the public keys JSON of the SSO server. This is needed for verifying the Id token.

8. Enter the Endpoint Settings as specified in Table 4: Endpoint Settings.

   Table 5. Endpoint Settings

   Field	Description
   Callback endpoint	Enter the OAuth callback endpoint URI. Click the Copy icon to copy this endpoint URI and configure it in your Identity Provider settings.
   Login endpoint	Enter the OAuth login endpoint URI provided by your Identity Provider.
   Revoke endpoint	Enter the OAuth revoke token endpoint URI provided by your Identity Provider.
   Token endpoint	Enter the OAuth token endpoint URI provided by your Identity Provider.
   User info endpoint	Enter the external OAuth user info endpoint URI.

9. Click CONFIGURE that is available at the top of the page. Your SSO-OIDC is now configured.