Although ODC comes with a built-in Identity Provider, most companies, if not all, already have their own Identity Service, with several user and group rules, which reflect their internal organization's permission assignments.
Despite the existence of that built-in IdP, ODC supports any IdP which is compatible with the OpenID Connect (OIDC) standard and also PKCE (Proof Key for Code Exchange) with externals IdPs.
Out-of-the-box, ODC Supports the following IdPs:
- Apple;
- Facebook;
- Google;
- Linkedin.
And a general OpenID Connect (OIDC).
Most of the OOB IdP accelerators present in ODC require a client ID (or application ID) and Client secret, as it can be seen in each of those external IdP accelerator screens.
ODC supports the existence of several different IdPs set and assign a specific one or ones to an app, as it can be seen in the following diagram:
Adding an external IdP
To add an external IdP which follow the conditions discussed so far, one needs to go to ODC Portal and to have an Administrator role.
In the left navigation menu, under the MANAGE tab, click on Identity providers and then click on the "Add provider" button.
As seen in the above screenshot, a list of existing social network IdPs and OIDC dropdown is shown.
OpenID Connect provider
To add an OpenID Connect compliant IdP, do the following steps:
- Insert the provider name, which you want the IdP to be known for;
- Insert the "Discovery endpoint" - the URL of the OpenID configuration of your IdP;
- Click "Get details", so ODC can retrieve the JSON of the OIDC configuration;
- Enter both the Client ID and the Client secret (value) for your provider;
- Select the PKCE supported by your OIDC;
- If your provider supports different atrribute names, please overwrite the prefilled values for Name, Email and Photo URL fields, under the "Claim Mapping" section. Otherwise, this section can be skipped;
- Click "Save" and ODC will add the new IdP to the existing list of IdPs.
Social network provider
To add one of the available social network providers, do the following:
- Insert the provider name, which you want the IdP to be known for;
- Insert the Client/App ID;
- Insert the Client secret/value;
- Click "Save" and ODC will add the new IdP to the existing list of IdPs.
MS Entra ID (former Azure AD)
Since MS Entra (Azure AD) is very popular among companies, we will share how it's set up as an external IdP in ODC Portal.
To add it as an external provider, the steps at the ODC Portal will be the same as described above at OpenID Connect provider, but we will describe the preparation work at MS Entra ID (Azure AD) prior to that step.
Please follow these steps:
- Login at MS Entra ID and create a new app registration in it. You can find all details at MS Entra ID documentatio, here. Also give a provider name in the ODC Portal, for the OIDC provider;
- After the app registration is created, click the Endpoints button and copy the URL from OpenID connect metadata document field and paste it into the already mentioned "Discovery endpoint" in ODC Portal OIDC provider setting screen (see item 2, under the section OpenID Connect provider)
- In the ODC Portal, click on "Get details", as explained before. This will retrieve the JSON of the MS Entra ID configuration, showing a preview of it;
- Back to the MS Entra ID, under Overview, copy the "Application (client) ID" value to the ODC Portal's Client ID field
- On MS Entra ID, click on "Certificates & secrets" and click in the "New client secret" button. Enter a description, select the expiration and end by clicking the "Add" button, to generate the secret
- Copy the generated secret value from the "Value" field in MS Entra ID, into the "Client secret (secret value)" field in the ODC Portal
- Copy the pair of "Redirect URLs" to the list of permitted redirects in the setup part of your MS Entra ID. Copy the pair for the built-in and active custom domains. If in doubt, please check MS Entra ID documentation here.
Click "Next"; - To complete the settings in the ODC Portal, please leave PKCE with the default SHA-256 value, as well as the "Claim Mapping" fields and then click the "Save" button.
- ODC will test the configurations just inserted and in case of success will add MS Entra ID to your External providers list. If it fails due to some reason, an error will be displayed.
- If all goes well, your MS Entra ID is now ready to be used by your Organization and/or apps.
Comments
0 comments
Please sign in to leave a comment.