Configure OpenID Connect Authentication
Configuration
Use the Realms API to configure this realm type:
curl -u USERNAME:PASSWORD -H 'content-type:application/json' -X POST http://<fusion-url>:6764/api/realm-configs -d @./realm-config.json
Below is a sample configuration:
{
"realmType": "oidc",
"name": "{your_oidcName}",
"enabled": true,
"roleNames": [
"admin"
],
"config": {
"autoCreateUsers": true,
"groups": {
"roleMapping": [
[
"role_user",
"admin"
]
]
},
"code": {
"clientSecret": "{your_clientSecret}",
"redirectUri": "{your_redirectUri}",
"authorizationUri": "{your_authorizationUri}",
"tokenUri": "{your_tokenUri}"
},
"clientId": "{your_clientId}",
"jwkSetUri": "{your_jwkSetUri}",
"userIdAttribute": "email",
"scope": [
"openid",
"email",
"profile"
]
}
},Required fields
| Field | Description | Example |
|---|---|---|
|
Name of the OIDC realm. |
|
|
A secret value shared between the application and the authentication server. |
N/A |
|
The URI to which the user will be redirected to after logging in. |
|
|
The authorization server URI. |
|
|
The URI to get access token from. |
|
|
A unique value which identifies the client. |
N/A |
|
The URL of the authorization server’s JSON Web Key Set (JWKS). |
|
Google authentication
For authenticating with Google, use Google’s OpenID Configuration to retrieve the required values for authorizationUri, tokenUri, jwkSetUri, and issuer.
Okta authentication
OpenID Connect authentication with Okta involves mapping Okta groups to Fusion roles. The Okta group information can be retrieved from Okta’s admin view:
-
Navigate to API > Authorization Server
-
Select the server you will configure for mapping
-
In the Scope menu, add the authentication groups
-
In the Claims menu, add new claim groups with ID token and set regexp to
.*, which will expose all groups