OpenID Connect Relying Party federation properties
Define these properties when we configure an OpenID Connect Relying Party federation
- Point of Contact
String containing the protocol, host, port and path of the runtime junction on the Reverse Proxy instance. This is used to automatically generate redirect URIs derived from the applies to value of the partner. An example value for this property is https://www.reverse.proxy.com:443/mga, where www.reverse.proxy.com is the hostname of the Reverse Proxy instance, 443 is the listening SSL port of the instance, and /mga is the local junction to the Federation runtime.
- Default Response Types
An array of elements that specify the default flow type to run when metadata URL is specified. The flow types are authorization code, implicit flow, or any hybrid flow.
- code
- id_token
- token
For information on the use of response types in each flow, see OAuth 2.0 and OIDC workflows.
- Attribute Mapping
We can use the Attribute Mapping page to define new attributes that can be used to customize claims from attribute sources. Attribute sources can be: Fixed, Credential, or LDAP.
To create a new mapping, select New and enter Attribute Name. Select Attribute Source type.
To remove an existing Attribute Name, select the attribute and click Delete.
- Identity mapping
Identity mapping options
- Do not perform identity mapping
- Use JavaScript transformation for identity mapping
- Use an external web service for identity mapping
If we configure an identity provider, this mapping specifies how to create an assertion containing attributes mapped from a local user account.
If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. If we choose JavaScript for mapping, on a subsequent page, we are asked to select the JavaScript file to use.If we choose an external web service, on a subsequent page, we are asked to provide the following information:
- URI format (HTTP or HTTPS)
- Web service URI
- Server Certificate database, if the URI format is HTTPS.
- Client authentication type, if the URI format is HTTPS.
- Message format:
- XML
- WS-Trust
- Advanced Configuration
Supported options:
- Advanced configuration is not required
- Use JavaScript for advanced configuration
We can use JavaScript to create mapping rules that add optional parameters to OpenID Connect requests. Open ID Connect requests can contain optional request parameters, as supported by the OIDC Provider. For example, max_age, acr_values, and claims.
If we choose to use JavaScript, the federation wizard displays existing advanced configuration mapping rules. Select the existing (already defined) JavaScript mapping rule containing the advanced configuration to use.
Parent topic: Configure an OpenID Connect Relying Party federation