OpenID Connect

To make OpenID Connect available, create an Infor Support Portal ticket to request that the feature set flag for STSIdpAuthentication be set to 1 for the tenants who require the feature.

Option Description
Federated Single Sign On Using OIDC - OIDC Enabled This flag enables or disables OpenID Connect. When disabled, the OpenID Connect page is disabled.
Display Name This option is displayed to users during the sign-in process if you allow users to select their own authentication method on the Authentication URL Options page.
Display Icon This option is displayed to users during the sign-in process if you allow users to select their own authentication method on the Authentication URL Options page.
Import OIDC Metadata
  • FROM FILE: allows file types with .json extensions
  • FROM URL: provides the well-known endpoint of the OpenID Provider; all endpoints are imported into IFS
  • All the endpoints can be added manually too
  • The file with a .json extension is parsed, and the following input fields on this page are automatically completed:
    • Issuer
    • Authorization_Endpoint
    • Token_Endpoint
    • Jwks_uri
    • Userinfo_Endpoint
  • Verify the inputs and add any additional information required
  • If you are not importing OIDC metadata, enter the following information manually
Client ID The client ID is generated from the identity provider and must be provided manually.
Client Secret The client secret is generated from the identity provider and must be provided manually.
Issuer This is the entity ID of the OpenID provider.
Authorization Endpoint This is the authorization endpoint of the OpenID provider for Infor OS to request for a code as part of the OIDC flow.
Token_EndPoint This is the token endpoint of the OpenID provider to obtain an ID token and access token.
jwks_uri userinfo_endpoint This is the endpoint that retrieves the keys to validate the signature of the ID token.

If provided, this endpoint is called by Infor OS to retrieve the user profile information.
Enable Identity Provider Single Logoff This is an optional feature. When enabled, the application would log out from the identity provider.

If this option is enabled, the end_session_endpoint becomes mandatory.
end_session_endpoint This is the property that provides the endpoint to be called for logging out the user from the identity provider.
scopes_supported

Infor OS, while making an OpenID connect request, includes the email,profile and openid as the default scopes. If the request must include additional scopes, they must be provided as comma separated values.
Attribute Name

The attribute name, for example, username, email, first_name, last_name, is sent from the OpenID provider in the ID token or attributes from the User Info endpoint.
Callback URL

This is the endpoint to which the OpenID provider returns the ID tokens. This URL is required by the OPENID provider when registering the client.
JIT User Provisioning Enabled This is an optional check box that can be used to provision the users into IFS when the user authenticates for the first time.
Note: The recommended option to provision the users into IFS is through SCIM.

The First Name Claim, Last Name Claim, and Email Address Claim fields are provided with the corresponding attribute names from the ID token.
First Name Claim This is the given_name from the ID token.
Last Name Claim This is the family_name from the ID token.
Email Address Claim This is the email from the ID token.