Set up an IdP for OAuth/OIDC
Learn about configuring an external identity provider as an Authorization Server.
Do you want to use a third-part OAuth 2.0 or OpenID Connect (OIDC) Identity Provider (IdP) as an Authorization Server to enable Single Sign On (SSO) to the Reltio Data Cloud? If so, configure an endpoint for the external IdP, so it can interact with the Reltio Hub and OAuth services as an Authorization Server. For more information, see topic OAuth 2.0/OIDC authentication flow.
External IdP endpoint configuration
The IdP endpoint configuration takes the following form. For an explanation of values to provide, see the following table in this topic. For specific configuration details, see the sub topics for a supported IdP.
POST http://{{oauth}}/oauth/customers
Authorization Bearer {{admin_token}}
[
{
"id": "Github",
"tenants": ["github"],
"description": "customer",
"passwordPolicy": {},
"externalProviderConfig": {
"vendor": "github",
"loginEndpoint" : "https://github.com/login/oauth/authorize",
"tokenEndpoint": "https://github.com/login/oauth/access_token",
"userInfoEndpoint": "https://api.github.com/user",
"revokeEndpoint": "https://api.github.com/applications",
"callbackEndpoint": "http://{{oauth}}/oauth/callback",
"clientId": "???????",
"clientSecret": "??????????",
"externalClientId" : "???????",
"scope": "email",
"defaultNewUserRoleList": ["ROLE_API", "ROLE_USER"],
"userGroupsMapping": "groups",
"userGroupRegExp": "OU=([a-zA-Z0-9_]*).*?",
"defaultGroups": ["QA_Group","Dev_Group"]
}
}
]
External IdP configuration properties
External provider properties specified within the externalProviderConfig
section are listed in the table below.
Property | Example | Default Value | Description |
---|---|---|---|
vendor | ping
| Identifier for vendor-specific implementation:
For details of IdPs you can use, see topic . | |
loginEndpoint | https://pingtest.<example>.com/as/authorization.oauth2
| External OAuth user login endpoint URI. | |
tokenEndpoint | https://pingtest.<example>.com/as/token.oauth2
| External OAuth token endpoint URI. | |
userInfoEndpoint | https://pingtest.<example>.com/idp/userinfo.openid
| External OAuth user info endpoint URI. The endpoint is used to get user information (along with user roles defined in IdP) after a token is obtained. | |
revokeEndpoint | https://pingtest.<example>.com/as/revoke_token.oauth2
| External OAuth revoke token endpoint URI. | |
callbackEndpoint | https://auth-<example>.reltio.com/oauth/callback
| Reltio OAuth callback URI. | |
clientId | reltio
| External OAuth client ID. | |
clientSecret | example12
| External OAuth client secret. | |
scope | openid profile email
| email
| Scope required from the external Authorization Server. Defines which information the server should include in the userInfoEndpoint response, as a list of space-separated OAuth scopes. This list can be specific for each vendor:
|
userIdMapping | sub
| email
| Mapping user property: external OAuth userInfoEndpoint to Reltio username . Note: If "email" is chosen for GitHub, the email should be public. |
userEmailMapping | email
| email
| Mapping user property: external OAuth userInfoEndpoint to Reltio email. |
defaultNewUserRoleList | ["ROLE_API", "ROLE_USER"]
| The list of roles that each new user will receive on first log in. | |
userRoleMapping | ADGroups
| Mapping user property from external OAuth userInfoEndpoint to Reltio roles. | |
userRoleRegexp | CN=([A-Z_]*),.*
([-a-zA-Z0-9_]*),*? | Extracts roles based on regular expression. The expression must have one regexp group to return the name of the role. If it's assumed that multiple roles can be returned from the IdP, the expression must include the delimiter (e.g. comma). | |
jwt | false
| false
| If true , then JWT token will be verified and decoded in the Reltio Auth server itself. Otherwise, Reltio Auth server will perform the user-info endpoint calls to SSO server to verify and decode the token in the SSO provider server itself. If true , define the following properties in jwtSignatureConfig :
|
sendClientCredentialsInBody | true
| false
| Enables sending the client credentials in the Request Body. By default, when the value is false or the property is not specified, the client credentials are sent in the Authorization Header. |
defaultGroups | ["QA_Group", "Dev_Group"] | - | The list of group that will receive each new user on first log in |
userGroupsMapping | ADGroups | - | Mapping user property from external OAuth userInfoEndpoint to Reltio groups |
userGroupRegExp | CN=([A-Z_]*),.* ([-a-zA-Z0-9_]*),*? | - | Extracts groups based on regular expression. The expression must have one regexp group to return the name of the group. If it's assumed that multiple groups can be returned from the IdP, the expression must include the delimiter (e.g. comma). |