Skip to main content
Skip table of contents

Admin: Appendix B - Open ID Connect (OIDC) configuration

Overview

This section provides instructions on setting up RPI to make use of an OIDC provider for authentication. The following RPI application settings are utilized for this purpose:

Name

Description

Authentication__OpenIdProviders__0__Name

Name of provider as displayed in RPI Sign In dialog.

Authentication__OpenIdProviders__0__Audience

The Audience ID configured within the OpenId provider.

Authentication__OpenIdProviders__0__AuthorizationHost

The authorization host for the configured OpenId provider.

Note: The user will be taken to this page when logging into RPI using the OpenId authentication.

Authentication__OpenIdProviders__0__ClientID

The Client Id configured within the OpenId provider.

Authentication__OpenIdProviders__0__CustomScopes

List of custom scopes required to request the OpenId access token.

Authentication__OpenIdProviders__0__EnableRefreshTokens

True = enable the option to enable refresh tokens (recommended) False = disable refresh tokens.

Note: If refresh token is disabled, the client will be logged off once the token expires, per the period configured within the OpenId provider.

Authentication__OpenIdProviders__0__LogoutIdTokenParameter

Query parameter name used to pass the id token on logout. The default value is ‘id_token_hint’.

Authentication__OpenIdProviders__0__RedirectURL

The redirect URL used for retrieving the token, as configured within the OpenId provider.

Authentication__OpenIdProviders__0__ValidateIssuer

True = the AuthorizationHost must match the issuer name supplied in the access token.

Authentication__OpenIdProviders__0__ValidateAudience

True = the OpenIdAudience must match the audience name supplied in the access token.

Authentication__OpenIdProviders__0__SupportsUserManagement

True = RPI supports management of users directly within OIDC provider (as well as native user management).

The following OIDC providers have been validated for use with RPI. Separate sections describe how to configure the aforementioned RPI applications for each.

Keycloak

The steps below assume the Realm has been created and configured within Keycloak. Please refer to the Keycloak documentation (https://www.keycloak.org/docs/latest/getting_started/index.html) for steps on how to create the required components.

  • Authentication__OpenIdProviders__0__Audience

    • Log into the Keycloak portal, under the Realm configured for RPI and expand the ‘Clients’ section:

For a typical install, the ‘account’ Client ID is the default name for the audience. Set this value at the Authentication__OpenIdProviders__0__Audience configuration application setting.

  • Authentication__OpenIdProviders__0__AuthorizationHost

    • As Keycloak is self-installed, the Authorization Host will be formatted as follows: https://<fqdm>:<port>/auth/realms/<realm_name>

Set this value at the Authentication__OpenIdProviders__0__AuthorizationHost configuration setting.

  • Authentication__OpenIdProviders__0__ClientID

    • Open the list of Keycloak Clients and click on the client ID configured for RPI:

Copy the value in the ‘Client ID’ text box and set the Authentication__OpenIdProviders__0__ClientID application setting to the same.

  • Authentication__OpenIdProviders__0__CustomScopes

    • Custom scopes are not required for this provider, however, the email claim must be configured within the client scope. This feature is enabled by default but can be confirmed by navigating to Client Scopes > Email > Mappers > Email. Ensure the ‘Add to access token’ option is enabled:

  • Authentication__OpenIdProviders__0__ RedirectURL

    • Open the client settings for the Keycloak client configured for RPI.

    • Under the ‘Settings’ tab, scroll down to the ‘Valid Redirect URIs’ configuration setting and click the ‘+@ icon to add a new redirect URI. This must be a valid and accessible URL with the https:// protocol.

    • Use the same URL at the Authentication__OpenIdProviders__0__ RedirectURL application setting.

Click the ‘Save’ button once the URI is updated.

Okta

Portal Link: https://<account>-admin.okta.com/

The steps below assume the application has been created within Okta. Please refer to the Okta documentation (https://help.okta.com/en/prod/Content/index.htm) for steps on how to create the required components.

  • Authentication__OpenIdProviders__0__Audience

    • Log into the Okta portal and expand the “Security” section and click on the “APIs” link:

Under the “Authorization Servers” tab, copy the value in the Audience column and paste the value into the application setting:

  • Authentication__OpenIdProviders__0__AuthorizationHost

    • Open the API configuration screen.

    • Copy the value in the “Issuer URI” column of the “Authorization Servers” tab and paste the value into the application setting:

  • Authentication__OpenIdProviders__0__ClientID

    • Expand the “Applications” section and click on the “Applications” link to view the list of configured applications. Proceed by clicking on the application created for use in RPI:

Under “Client Credentials”, click the copy Client ID button and paste the value into the application setting.

  • Authentication__OpenIdProviders__0__CustomScopes

    • Custom scopes are not required for this provider, however, the email claim must be configured within the Audience, as covered above. To add the email claim, expand the “Security” section and click on the “APIs” link. Click on the “Name” link of the Audience to open the configuration. Once in the configuration, click the “Claims” tab and click the “Add Claim” button:

Enter “email” for Name and “appuser.email” for Value. Then click the Save button:

  • Authentication__OpenIdProviders__0__ RedirectURL

    • Open the settings for the RPI Okta application.

    • Under “General Settings” click the “Edit” link:

  • Scroll down to the “LOGIN” section of the settings and enter a URL in the “Sign-in redirect URIs” text box. This must be a valid and accessible URL with the https:// protocol. Copy the same URL for the “Sign-out redirect URIs” text box as well. Hit the “Save” button once complete.

  • Paste the value into the application setting.

AzureAD

To configure AzureAD for use as an RPI OIDC provider, you will need a valid Azure Tenant ID and App Registration Client ID. Please follow these steps to obtain these:

Log into the Microsoft Entra Admin center (https://entra.microsoft.com) and then click on the Microsoft Entra ID (Azure AD) tile:

From the +Add drop down, choose App registration

Name your registration, choose the account type, set the Redirect URI to be Public client/native (Mobile & Desktop) and set the value of the Redirect URI:

You’ll be redirected the App Registrations overview page. Click on the Add an Application ID URI link:

Click the Add link next to Application ID URI and also add a custom scope named ‘Interaction.Clients’:

Having obtained an Azure Tenant ID and App Registration Client ID, configure application settings in RPI as follows:

  • Red = Azure Tenant ID

  • Green = App Registration Client ID

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close