LinkedIn
Copied!

Table of Contents

Configuring the identity provider for an OpenID Connect SSO authentication service

Version:

8.6 8.5
Only available versions of this content are shown in the dropdown

To enable the system to verify the identity of requestors, configure the identity provider for your OpenID SSO authentication service. You configure the identity provider by importing values from a file or by entering them manually.

  1. Open the service from the navigation panel in Dev Studio by clicking Records SysAdmin Authentication Service and choosing a service from the instance list.

  2. On the OpenID Connect tab, navigate to the OpenID Connect provider configuration section.

  3. If you are configuring the identity provider by importing the configuration, complete these steps:

    1. Click Import metadata.

    2. Select the source of the metadata ( via URL or via file ), and then enter the URL or file path.

      URL is in the format: https://<domain name>/.well-known/openid-configuration

    3. Click Submit.

    When you import the provider metadata, the platform does the following actions, depending on whether the Signature truststore field is blank at the time of import.
    • If the Signature truststore field is blank, the system creates a keystore instance and adds the certificate to the new keystore instance. The system sets the alias of the entry in the keystore to the certificate's issuer name and sets the keystore password to rules. The system populates the Signature truststore field with the new keystore identifier.
    • If the Signature truststore field is not blank and refers to a valid keystore instance that was originally created by the system (keystore name starts with "KS" and ends with "OIDCCertStore"), the system adds the certificate to the existing keystore instance and sets the alias of the entry to the certificate's issuer name.

  4. If you are configuring the identity provider by entering values manually, complete these steps:

    1. In the Authorization endpoint field, enter the authorization endpoint URL.

    2. In the Token endpoint field, enter the token endpoint URL.

    3. Optional:

      In the Userinfo endpoint field, enter the userinfo endpoint URL.

    4. Optional:

      In the Logout endpoint field, enter the logout endpoint URL.

    5. In the Redirect URI field, enter the redirect URI.

    6. In the Issuer field, enter the certificate issuer.

    7. In the Signature truststore field, press the Down Arrow key and select the keystore that contains the public key that is used for verifying the signature of the authentication assertion.

    8. To add parameters for any of these fields, click Add parameters.

  5. Navigate to the Client information section and complete the Client identifier, Client secret, and Scope fields.

  6. In the Operator identification section, in the Map operator id from claim field, specify the name of the claim that contains the operator ID. Enclose the attribute name in curly braces, for example, {name}.

  7. Optional:

    Configure the advanced properties of the identity provider.

  8. Click Save.

Mapping operator information for an OpenID Connect SSO authentication service

Related Content

Article

Configuring the identity provider for an OpenID Connect SSO authentication service &ndash; Advanced Configuration

Article

Authentication services

Article

More about authentication services

Article

Configuring an OpenID Connect SSO authentication service
Configuring an OpenID Connect SSO authentication serviceParent topic
Pega Platform 8.4 Security

Updated on July 1, 2021

Suggest Edit
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center