Multiple Identity Providers (IDPs) for OpenID Connect
As of May 2024 release, a new option has been added to the dashboard to support multiple external identity providers.
Prior to May 2024:
The dashboard only supported one set of identity provider credentials for OpenID Connect, which were applied at the global level, configured under ‘Global Variables’ in the dashboard configuration panel. For reference:
With this approach, one set of IDP configuration was applied to all users.
A single IDP configuration option through OAUTH variables will eventually be deprecated. Therefore, we advise the users to complete the manual migration of moving their OAuth setup from Global Variables to Identity Providers section in the dashboard configuration or using our API to create a new entry.
May 2024 onwards:
New functionality has been added to allow to configure multiple Identity Providers (IDPs) in the dashboard either through the UI or API. With this approach, different sets of users can use different IDP configurations.
UI:
A new tab has been added to the Settings screen, allowing users to create OpenID Connect configuration for multiple providers.
Single IDP panel example:
Multiple IDPs example:
API:
Eight new API endpoints have been added to help manage the new Identity Provider configurations. These endpoints are documented on our SwaggerHub page and listed below:
GET /identityProviders - Gets all Identity Providers
POST /identityProviders - Creates a new Identity Provider
GET /identityProviders/{id} - Gets a specific Identity Provider
DELETE /identityProviders/{id} - Deletes a specific Identity Provider
PUT /identityProviders/{id} - Modifies an Identity Provider
POST /identityProviders/bulk - Creates multiple Identity Providers
DELETE /identityProviders/bulk - Deletes multiple Identity Providers
DELETE /identityProviders/all - Deletes all Identity Providers
Option | Explanation |
---|---|
Identifier | A simple alphanumeric string used as a query parameter in the dashboard URL. It will be utilised to identify the correct Identity Provider to use to login to the dashboard (e.g. https://localhost:8224/pi/?idp=microsoft). |
Enabled | The enabled status of the Identity Provider |
Discovery Domain | OpenID Connect discovery domain e.g. https://login.microsoftonline.com/TENANT/v2.0 (without /.well-known/openid-configuration); if used, Auth URL and Token Endpoint values will be disabled/ignored |
Auth URL | The authorization url the user will be redirected to; if used, Discovery Domain field will be disabled/ignored |
Token Endpoint | Token api endpoint; if used, Discovery Domain field will be disabled/ignored |
Key ID | A unique ID provided by an OpenID Connect service to authenticate your application |
Key Value | A secret value known only to your application and the OpenID Connect service for secure communication and authorisation The field can be set via POST and updated via PUT via the API but will not be shown. In the UI, Key Value is hidden |
Email Claim Name | The name of the claim to use to retrieve the logging in user's email address |
Scope | Space separated list of scopes which will be supplied to the IDP |
Logout URL | Custom URL for logging out; if present, will attempt integrated logout |
Bypass Login Screen | Enable to bypass the login screen and attempt auto login |
Open in Pop-up | Open ID log in will utilise a pop-up window for the log in request |
General Rules:
Each IDP configuration must have a unique Identifier which can be used as a query parameter in the URL to resolve the correct IDP to be used
IDP Identifier field only accepts alphanumeric values
If there is only one IDP entry in the system, the users don’t need to specify the correct identifier in the URL; the dashboard will automatically resolve to using the defined IDP as long as it’s enabled
If there are multiple IDP entries saved in the database, the users will be expected to specify the Identifier of the Identity Provider they wish to use in the URL
If there are no IDP entries configured in system, the dashboard will fallback to using the old single IDP implementation through OAUTH variables if one is configured and enabled
To specify an IDP to use, the Identifier will need to be added as a query parameter to your dashboard URL, e.g:
https://pi-dash.uk:8224/pi/?idp=identifierValue
Example of the configuration:
You have the below IDP configured in the dashboard with ‘okta’ being the identifier for your IDP setup:
You wish to use your ‘okta’ configuration for a set of users, therefore, you change the dashboard URL to include the identifier:
CUSTOMER NEWS - Our August 24 Release Is Now Available - Download It Now!