OpenID Connect Configuration - FAQ

Find the answers to Frequently Asked Questions (FAQs) about OpenID Connect (OIDC) Configuration.

  1. How do I set up the OIDC Configuration in Reltio Platform?

    In Reltio, you can now configure OIDC through Console. Go to Console, and click SSO Configuration in the Security section. For more information about configuring OIDC, see SSO Configuration Based on OIDC.

  2. Which APIs must be used to configure OIDC?

    To configure OIDC, update external provider configuration in a customer record using PUT https://auth.reltio.com/oauth/customers/{{customer}}/externalProviderConfig/{{tenant}} .

  3. What do I need from IdP to set up OIDC?

    The following information from IdP is required to set up OIDC:

    Table 1. Requirements to set up OIDC
    Property Value Description Example
    clientId External OAuth client ID reltio
    clientSecret   External OAuth client secret qwerty12
    loginEndpoint   External OAuth user login endpoint URI xxx
    revokeEndpoint   External OAuth revoke token endpoint URI xxx
    tokenEndpoint   External OAuth token endpoint URI xxx
    userEmailMapping Email Mapping user property from external OAuth userInfoEndpoint to Reltio email Email
    userGroupsMapping   Mapping user property from external OAuth userInfoEndpoint to Reltio groups ADGroups
    userIdMapping Email

    Mapping user property from external OAuth userInfoEndpoint to Reltio username. If you have chosen Email for Github, then the Email must be a public one.

    sub
    userInfoEndpoint   External OAuth user info endpoint URI xxx
    userRoleMapping   Mapping user property from external OAuth userInfoEndpoint to Reltio roles. ADRoles
    vendor   Vendor specific implementation, which can be:
    • null for Google, ADFS 2.0
    • github for GitHub
    • ping for PingFederate
    ping
  4. What must I configure in IdP?

    To successfully set up OIDC, you must configure the following in IdP:

    Table 2. IdP Configuration for OIDC set up
    Property Value Description Mandatory Example
    callbackEndpoint Reltio OAuth callback URI, which must be configured in IDP Yes https://auth-az.reltio.com/oauth/callback
    userEmailMapping Email Mapping user property from external OAuth userInfoEndpoint to Reltio email Yes Email
    userIdMapping Email

    Mapping user property from external OAuth userInfoEndpoint to Reltio username. If Email is chosen for Github, then the Email must be a public one.

    No sub
    userRoleMapping Roles

    Mapping user property from external OAuth userInfoEndpoint to Reltio roles, which is applicable only if role assignment is managed by IDP.

    No ADRoles
    userGroupMapping Groups

    Mapping user property from external OAuth userInfoEndpoint to Reltio groups, which is applicable only if role assignment is managed by IDP.

    No ADGroups
  5. Can I have different IdP Configurations for different tenants?

    Yes, you can have different IdP configurations for each tenant. However, note that you can have only one IdP configuration for a tenant.

  6. What should I do if I face issues after IdP configuration?

    If you face any issues after configuring IdP, capture the HAR file and then create a support ticket for further investigation.

  7. Can I import roles from IdP into Reltio?

    Yes, you can import roles from IdP into Reltio by specifying the userRoleMapping attribute. Make sure these roles are valid in the Reltio platform. While importing, IdP will send an additional attribute with the ROLE value. Multiple roles can be imported by separating them using a comma.

  8. What should I do to configure Azure 2.0 as IdP?
    A sample configuration to configure Azure 2.0 as IdP is given below:
    {
    "id": "xxx",
    "tenants": [
    "xxx"
    ],
    "description": "SSO configuration",
    "passwordPolicy": {},
    "externalProviderConfig": {
    "loginEndpoint": "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize",
    "tokenEndpoint": "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/token",
    "userInfoEndpoint": "https://graph.microsoft.com",
    "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
    "clientId": "?????",
    "clientSecret": "??????",
    "scope": "openid profile",
    "userIdMapping": "userPrincipalName",
    "userEmailMapping": "userPrincipalName",
    "defaultNewUserRoleList": [
    "ROLE_USER",
    "ROLE_API"
    ]
    },
    "caseSensitiveLoginEnabled": true
    }
  9. What should I do to configure Okta as IdP ?
    A sample configuration to configure Okta as IdP is given below:
    {
    "providerId": "OktaProvider",
    "vendor": "okta",
    "loginEndpoint": "https://xxx.okta.com/oauth2/v1/authorize",
    "tokenEndpoint": "https://xxx.okta.com/oauth2/v1/token",
    "userInfoEndpoint": "https://xxx.okta.com/oauth2/v1/userinfo",
    "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
    "clientId": "xxx",
    "clientSecret": "xxxxxxxxxx",
    "scope": "openid profile email",
    "userIdMapping": "given_name",
    "userEmailMapping": "email",
    "userRoleMapping": "memberOf",
    "userRoleRegexp": "(AZ_[a-zA-Z0-9_]*),*?",
    "defaultNewUserRoleList": [
    "ROLE_UI",
    "ROLE_API"
    ],
    "tenants": [
    "xxx"
    ],
    "jwt": false,
    "defaultGroups": [],
    "roleEnabled": false,
    "groupEnabled": false,
    "sendClientCredentialsInBody": false
    }
  10. What should I do to configure Ping Identity as IdP?
    A sample configuration to configure Ping Identity as IdP is given below:
    {
        "id": "xxxxx",
        "tenants": [
          "xx"
        ],
        "description": "customer",
        "passwordPolicy": {},
        "externalProviderConfig": {
          "vendor": "ping",
          "loginEndpoint": "https://xxx/as/authorization.oauth2",
          "tokenEndpoint": "https://xxx/as/token.oauth2",
          "userInfoEndpoint": "https://xxx/idp/userinfo.openid",
          "revokeEndpoint": "https://xxx/revoke_token.oauth2",
          "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
          "clientId": "xxxxx",
          "clientSecret": "xxxx",
          "scope": "openid profile email",
          "userIdMapping": "sub",
          "defaultNewUserRoleList": [
            "ROLE_USER",
            "ROLE_API"
          ],
          "userRoleMapping":"ADRoles",
          "userRoleRegexp":"CN=([A-Z_]*),.*",
          "caseSensitiveLoginEnabled": false
        }
      }
  11. Can I configure SSO to enable RDM tenants also?
    Yes, you can use the same configuration used for the MDM tenants by adding the RDM tenant ID into the Tenants array in externalProviderConfig. A sample is given below.
    "externalProviderConfig: : {
                ........
                "tenants": ["RDM Tenant ID"]
    }