OpenID Relying Party custom properties

OpenID Relying Party custom properties

The following tables list the custom properties for the OpenID Relying Party (RP) Trust Association Interceptor (TAI). We can define these properties in the Custom Properties panel for the OpenID TAI using the administrative console. The custom properties are used to determine the behavior of the OpenID RP, and to communicate with an OpenID Provider (OP).

Property name Values Description
providerIdentifier Any URL value. No default value Specifies the OpenID provider URL
effectiveUriList Comma-separated list of URI patterns. No default value Comma-separated list of URIs (it uses regular expressions) intercepted by the RP. For example, /oidapp.*, /snoop, /dash/dashboard.
axRequiredAttribute Specify any string value. No default value Attribute requested by the relying party from the OpenID provider. It is in the format "alias, uriType". For example:
email, http://axschema.org/contact/email

Multiple attributes can be provided to the TAI by adding property names that begin with the axRequiredAttribute, and each ending with a unique suffix, in the format "axRequiredAttributesuffix". For example:
axRequiredAttribute1: email, http://axschema.org/contact/email
axRequiredAttribute2: dn,http://www.ibm.com/axschema/bluepages/dn
mapAliasAsPrincipal Comma-separated list of string values. No default value. If not specified, OpenID claimed identifier is used. Comma-separated list of the attribute aliases in the OpenID Provider response to use as the principal name when creating the JAAS subject. The first entry that matches an alias in the response will be used. For instance, if this property is set to email, guid, dn, given the following attribute aliases in the response, someone@ibm.com will be used as the principal name. For example:

openid.ax.type.dn=uid=someone@ibm.com,o=ibm.com
openid.ax.type.email=someone@ibm.com

excludedUriList Any URL value. No default value Comma-separated list of URIs(uses regex) that should not be intercepted by the TAI. For example: "/oidapp.*, /dash.*
axOptionalAttribute Specify any string value. No default value Attribute requested by the relying party from the OpenID provider. It is in the format - "alias, uriType". For example:
email, http://axschema.org/contact/email

Multiple attributes can be provided to the TAI by adding property names that begin with the axOptionalAttribute and each ending with a unique suffix, in the format "axOptionalAttributesuffix" For example:
axRequiredAttribute1: email, http://axschema.org/contact/email
axRequiredAttribute2: dn,http://www.ibm.com/axschema/bluepages/dn

axAttributeCount Any integer value. The default is 1. Number of values that the OpenID RP TAI requests for all required and optional attributes from the OpenID Provider. If set to 0, the TAI requests all values available for attributes. For example, if the OpenID Provider has two values for the first name, set axAttributeCount to 2 to get both values.
basicAuthUriList Comma-separated list of URI patterns. No default value Comma-separated list of URIs (uses regex) for which the TAI should authenticate using HTTP Authorization header of type Basic (Basic Auth token). These URIs should be within the set of URIs specified in "effectiveUriList". "effectiveUriList" is evaluated first to determine if the TAI should handle the request. "basicAuthUriList" is evaluated next.
tryOpenIDIfBasicAuthFails

true (default)
false

This property is valid for a URI if that URI is in the "basicAuthUriList" set. If the authentication using HTTP Authorization header of type Basic (Basic Auth token) fails, the TAI attempts to authenticate the user using OpenID (it redirects the request to the OpenID provider for authentication)
mapIdentityToRegistryUser

true
false (default)

If set to false, the IBM IdP users need not be in the local repository for authentication to work. This is the default behavior. If the property is set to true, the IBM IdP users should also be in the local repository before authentication can occur.
characterEncoding Specify any string value that represents character encoding. The default is UTF-8. Determines the character encoding to use if the TAI receives a request that does not contain the character encoding set.
allowStateless

true
false (default)

A flag that indicates to the TAI if it can fallback to stateless mode of authenticating with the OpenID provider server if an association cannot be established.
useClientIdentity

true
false (default)

A flag that indicates to the TAI if it can use the client identity as a principal if it might not chose any alias as the principal.
authenticationMode Specify any string value. The default is checkid_setup. Review OpenID Authentication 2.0 for more information about this property. Another value that it can use is checkid_immediate.
maxAssociationAttempts Any integer value. The default is 4. Number of times the TAI attempts to establish association with the OpenID provider server before it stops.
nonceValidTime Specify any integer number. The default is 300, This value is in seconds. This is the maximum time the TAI expects a response from the OpenID provider. The nonce value sent in the request and received in the response expires in this given time.
sharedKeyEncryptionEnabled

true (default)
false

Specify true to have the RP and provider to use a shared HMAC key for signing.
hashAlgorithm

SHA256 (default)
SHA1

The OpenID RP assumes this is the algorithm used to sign the response from the OpenID provider.
httpsRequired

true (default)
false

When true, the OpenID Connect RP will only establish a connection with an OP that supports https communication. If true, but the scheme of the authorizeEndpoint, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize.
If set to true, the RP will not attempt to process any requests that do not use the https scheme and the RP will not accept user authentication through the OP if the OP endpoint is http.
connectTimeout Any integer value. The default is 60. This value is in seconds. Timeout value used by the OpenID RP during the discovery phase, while also establishing connection with the OpenID provider.
socketTimeout Any integer value. The default is 60. This value is in seconds. Timeout value used by the OpenID RP during the discovery phase, while also communicating with the OpenID provider.
HostNameVerificationEnabled

true (default)
false

Specifies whether the OpenID RP can also validate the host name in the certificate received by it while it establishes an SSL connection with the OpenID Provider.
maxDiscoveryRetry Any integer value. The default is 2. The number of attempts RP makes to establish connection with the OpenID provider.
realmName Specify any string value. The default is OpenIDDefaultRealm. The realm name used by the RP while the JAAS Subject is created, using the ID received from the OpenID provider. The realmName used (either OpenIDDefaultRealm or a custom value) must be configured as a trusted realm.
maxDiscoveryCacheSize Any integer value. The default is 10000. Maximum size of the internal cache the OpenID RP uses. All subsequent requests to the RP are rejected with the HTTP response code 503 (service unavailable) once the cache size limit is reached.
cacheCleanupFrequency Any integer value. The defaults value is 3600. This value is in seconds, and is the frequency at which the stale objects in the cache are purged.
jndiCacheName When dynamic cache service is enabled, a DistributedObjectCache named OIDCRPDistributedCacheMap is used with...
KEY_ENABLE_CACHE_REPLICATION=true
KEY_REPLICATION_DOMAIN=DynaCacheCluster

The attributes of this cache cannot be changed
To use an object cache instance with properties different from the default, use this property to specify a custom object cache instance managed by the dynamic cache service. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for maxDiscoveryCacheSize and CacheCleanupFrequency are ignored.
realmIdentifier Specify any string value. No default value Set to the alias of one of the attributes that are returned by the OpenID provider server. The value of this attribute is the realmName. If multiple values are returned by the OpenID provider for this alias, any of the values can get selected.
groupIdentifier Specify any string value. No default value Set to the alias of one of the attributes that are returned by the OpenID provider server. The value of this attribute is the group to which the authenticated user belongs. If multiple values are returned by the OpenID provider for this alias, all of the values are selected.
includeCustomCacheKeyInSubject

true (default)
false

The value of this property determines whether a custom cache key is included in the subject created by the TAI.
httpOnly

true (default)
false

When true, the httpOnly flag will be set on the cookie.

Related:

OpenID authentication overview
Configure an OpenID Connect Relying Party
Use object cache instances

Property name	Values	Description
providerIdentifier	Any URL value. No default value	Specifies the OpenID provider URL
effectiveUriList	Comma-separated list of URI patterns. No default value	Comma-separated list of URIs (it uses regular expressions) intercepted by the RP. For example, /oidapp.*, /snoop, /dash/dashboard.
axRequiredAttribute	Specify any string value. No default value	Attribute requested by the relying party from the OpenID provider. It is in the format "alias, uriType". For example: email, http://axschema.org/contact/email Multiple attributes can be provided to the TAI by adding property names that begin with the axRequiredAttribute, and each ending with a unique suffix, in the format "axRequiredAttributesuffix". For example: axRequiredAttribute1: email, http://axschema.org/contact/email axRequiredAttribute2: dn,http://www.ibm.com/axschema/bluepages/dn
mapAliasAsPrincipal	Comma-separated list of string values. No default value. If not specified, OpenID claimed identifier is used.	Comma-separated list of the attribute aliases in the OpenID Provider response to use as the principal name when creating the JAAS subject. The first entry that matches an alias in the response will be used. For instance, if this property is set to email, guid, dn, given the following attribute aliases in the response, someone@ibm.com will be used as the principal name. For example: openid.ax.type.dn=uid=someone@ibm.com,o=ibm.com openid.ax.type.email=someone@ibm.com
excludedUriList	Any URL value. No default value	Comma-separated list of URIs(uses regex) that should not be intercepted by the TAI. For example: "/oidapp., /dash.
axOptionalAttribute	Specify any string value. No default value	Attribute requested by the relying party from the OpenID provider. It is in the format - "alias, uriType". For example: email, http://axschema.org/contact/email Multiple attributes can be provided to the TAI by adding property names that begin with the axOptionalAttribute and each ending with a unique suffix, in the format "axOptionalAttributesuffix" For example: axRequiredAttribute1: email, http://axschema.org/contact/email axRequiredAttribute2: dn,http://www.ibm.com/axschema/bluepages/dn
axAttributeCount	Any integer value. The default is 1.	Number of values that the OpenID RP TAI requests for all required and optional attributes from the OpenID Provider. If set to 0, the TAI requests all values available for attributes. For example, if the OpenID Provider has two values for the first name, set axAttributeCount to 2 to get both values.
basicAuthUriList	Comma-separated list of URI patterns. No default value	Comma-separated list of URIs (uses regex) for which the TAI should authenticate using HTTP Authorization header of type Basic (Basic Auth token). These URIs should be within the set of URIs specified in "effectiveUriList". "effectiveUriList" is evaluated first to determine if the TAI should handle the request. "basicAuthUriList" is evaluated next.
tryOpenIDIfBasicAuthFails	true (default) false	This property is valid for a URI if that URI is in the "basicAuthUriList" set. If the authentication using HTTP Authorization header of type Basic (Basic Auth token) fails, the TAI attempts to authenticate the user using OpenID (it redirects the request to the OpenID provider for authentication)
mapIdentityToRegistryUser	true false (default)	If set to false, the IBM IdP users need not be in the local repository for authentication to work. This is the default behavior. If the property is set to true, the IBM IdP users should also be in the local repository before authentication can occur.
characterEncoding	Specify any string value that represents character encoding. The default is UTF-8.	Determines the character encoding to use if the TAI receives a request that does not contain the character encoding set.
allowStateless	true false (default)	A flag that indicates to the TAI if it can fallback to stateless mode of authenticating with the OpenID provider server if an association cannot be established.
useClientIdentity	true false (default)	A flag that indicates to the TAI if it can use the client identity as a principal if it might not chose any alias as the principal.
authenticationMode	Specify any string value. The default is checkid_setup.	Review OpenID Authentication 2.0 for more information about this property. Another value that it can use is checkid_immediate.
maxAssociationAttempts	Any integer value. The default is 4.	Number of times the TAI attempts to establish association with the OpenID provider server before it stops.
nonceValidTime	Specify any integer number. The default is 300,	This value is in seconds. This is the maximum time the TAI expects a response from the OpenID provider. The nonce value sent in the request and received in the response expires in this given time.
sharedKeyEncryptionEnabled	true (default) false	Specify true to have the RP and provider to use a shared HMAC key for signing.
hashAlgorithm	SHA256 (default) SHA1	The OpenID RP assumes this is the algorithm used to sign the response from the OpenID provider.
httpsRequired	true (default) false	When true, the OpenID Connect RP will only establish a connection with an OP that supports https communication. If true, but the scheme of the authorizeEndpoint, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize. If set to true, the RP will not attempt to process any requests that do not use the https scheme and the RP will not accept user authentication through the OP if the OP endpoint is http.
connectTimeout	Any integer value. The default is 60.	This value is in seconds. Timeout value used by the OpenID RP during the discovery phase, while also establishing connection with the OpenID provider.
socketTimeout	Any integer value. The default is 60.	This value is in seconds. Timeout value used by the OpenID RP during the discovery phase, while also communicating with the OpenID provider.
HostNameVerificationEnabled	true (default) false	Specifies whether the OpenID RP can also validate the host name in the certificate received by it while it establishes an SSL connection with the OpenID Provider.
maxDiscoveryRetry	Any integer value. The default is 2.	The number of attempts RP makes to establish connection with the OpenID provider.
realmName	Specify any string value. The default is OpenIDDefaultRealm.	The realm name used by the RP while the JAAS Subject is created, using the ID received from the OpenID provider. The realmName used (either OpenIDDefaultRealm or a custom value) must be configured as a trusted realm.
maxDiscoveryCacheSize	Any integer value. The default is 10000.	Maximum size of the internal cache the OpenID RP uses. All subsequent requests to the RP are rejected with the HTTP response code 503 (service unavailable) once the cache size limit is reached.
cacheCleanupFrequency	Any integer value. The defaults value is 3600.	This value is in seconds, and is the frequency at which the stale objects in the cache are purged.
jndiCacheName	When dynamic cache service is enabled, a DistributedObjectCache named OIDCRPDistributedCacheMap is used with... KEY_ENABLE_CACHE_REPLICATION=true KEY_REPLICATION_DOMAIN=DynaCacheCluster The attributes of this cache cannot be changed	To use an object cache instance with properties different from the default, use this property to specify a custom object cache instance managed by the dynamic cache service. When the dynamic cache service is not in use, a server-based cache is used. When the dynamic cache service is in use, the values for maxDiscoveryCacheSize and CacheCleanupFrequency are ignored.
realmIdentifier	Specify any string value. No default value	Set to the alias of one of the attributes that are returned by the OpenID provider server. The value of this attribute is the realmName. If multiple values are returned by the OpenID provider for this alias, any of the values can get selected.
groupIdentifier	Specify any string value. No default value	Set to the alias of one of the attributes that are returned by the OpenID provider server. The value of this attribute is the group to which the authenticated user belongs. If multiple values are returned by the OpenID provider for this alias, all of the values are selected.
includeCustomCacheKeyInSubject	true (default) false	The value of this property determines whether a custom cache key is included in the subject created by the TAI.
httpOnly	true (default) false	When true, the httpOnly flag will be set on the cookie.