OpenID Connect
To make OpenID Connect available, create an Infor Support Portal ticket to request that the feature set flag for STSIdpAuthentication be set to 1 for the tenants who require the feature.
Option | Description |
---|---|
Federated Single Sign On Using OIDC - OIDC Enabled | This flag enables or disables OpenID Connect. When disabled, the OpenID Connect page is disabled. |
Display Name | This option is displayed to users during the sign-in process if you allow users to select their own authentication method on the Authentication URL Options page. |
Display Icon | This option is displayed to users during the sign-in process if you allow users to select their own authentication method on the Authentication URL Options page. |
Import OIDC Metadata |
|
Client ID | The client ID is generated from the identity provider and must be provided manually. |
Client Secret | The client secret is generated from the identity provider and must be provided manually. |
Issuer | This is the entity ID of the OpenID provider. |
Authorization Endpoint | This is the authorization endpoint of the OpenID provider for Infor OS to request for a code as part of the OIDC flow. |
Token_EndPoint | This is the token endpoint of the OpenID provider to obtain an ID token and access token. |
jwks_uri userinfo_endpoint | This is the endpoint that retrieves the keys to validate the signature of
the ID token. If provided, this endpoint is called by Infor OS to retrieve the user profile information. |
Enable Identity Provider Single Logoff | This is an optional feature. When enabled, the application would log out from the
identity provider. If this option is enabled, the end_session_endpoint becomes mandatory. |
end_session_endpoint | This is the property that provides the endpoint to be called for logging out the user from the identity provider. |
scopes_supported |
Infor OS, while making an OpenID connect request, includes the email,profile and openid as the default scopes. If the request must include additional scopes, they must be provided as comma separated values. |
Attribute Name |
The attribute name, for example, username, email, first_name, last_name, is sent from the OpenID provider in the ID token or attributes from the User Info endpoint. |
Callback URL |
This is the endpoint to which the OpenID provider returns the ID tokens. This URL is required by the OPENID provider when registering the client. |
JIT User Provisioning Enabled | This is an optional check box that can be used to provision the users into
IFS when the user authenticates for the first time.
Note: The
recommended option to provision the users into IFS
is through SCIM.
The First Name Claim, Last Name Claim, and Email Address Claim fields are provided with the corresponding attribute names from the ID token. |
First Name Claim | This is the given_name from the ID token. |
Last Name Claim | This is the family_name from the ID token. |
Email Address Claim | This is the email from the ID token. |