Skip to main content
Skip table of contents

OpenID Connect

To configure the Valsight application to use the OpenID Connect SSO, edit conf/config.yml and restart the server after making changes.


Configuration Key (openIdConnect →)DescriptionExample ValueDefault Value
enabled
Whether OpenID Connect authentication should be used or not
true
false
providerApplication → clientId
OAuth 2.0 Client Identifier valid at the Authorization Server
jmxDcfi1gEffVMktJ
n/a
providerApplication → clientSecret
Client Secret token, provided by the Authorization Server
aZWAuRZUSxT-Sh8-xDLdHI
n/a
providerApplication → issuer
Identifier for the Issuer of the authorization response.https://my-oidc.com/n/a
providerApplication → acr_values

Allows to pass additional authentication related information to the user service.


*Optional

*Available since: 3.7.0

myvalue1:myvalue2:myvalue3:myvalue4n/a
providerEndpoints → userAuthorizationUrl
The Authorization endpoint of the OpenID Connect flowhttps://my-oidc.com/authorizen/a
providerEndpoints → accessTokenUrl
The Token endpoint of the OpenId Connect flowhttps://my-oidc.com/oauth/tokenn/a
providerEndpoints → jwkUrl
The endpoint that contains certificates to verify the tokenhttps://my-oidc.com/oauth2/certsn/a
loginSuccessfulUrlThe absolute URL (starting with http(s)) of the application's main page. The user will be redirected there after a successful login.
https://valsight.company.com/
n/a
scopeList of comma separated scopes if we want fetch additional claims. The scope 'openid' will always be present, whether it is included in the configuration list or not.email,profileopenid
userProfileMapping → usernameThe claim used to uniquely identify an user. It must always be present in the provider's response and unique per user.preferred_usernameSub
userProfileMapping email

This claim that contains the user's e-mail address.


*Optional

emailn/a
userProfileMapping fullName

The claim that contains the user's full name.


*Optional

namen/a
reverseProxyURL

When the Valsight app is running behind a reverse proxy and the app server's port is not exposed directly (e.g. for purposes of HTTPS configuration), this URL is required. It is used by the Authorization Server to redirect the user back to the application after the successful login.


*Optional

https://my.company.com/valsightn/a
mandatoryClaims → claim → claimValue

This is used to customize the requested presence and values of claims beyond the ones requested by the OpenID Connect specification.

Each claim configured here must be present in the provider's response and also have the specified value. If claim has multiple values in the response (e. g. a list of groups the users belongs to) then one of the values in the response must be an exact match to the configured value.


*Optional

Example Configuration

YML
mandatoryClaims:
	group: groupName
	role: roleName
n/a
groupsClaim

This configuration option enables OpenID Connect to determine which groups users belong to. If this field is not present or if it is empty, the groups must be managed internally in the application. If we set a value of 'groupsClaim' we turn this functionality on. The value of 'groupsClaim' should be a an claim name that contains the  OpenID Connect provided groups.

The group matching happens as follows:

  1. read groups from the  OpenID Connect response
  2. create groups that are missing in the application
  3. add user to all groups from the response
  4. remove user from all groups not in the response

Important: this functionality never automatically deletes groups in the application


*Optional

*Available since: 5.0.0

groupsInOpenIDConnectResponsen/a
forceGroupsOverage

Forces the application to always use the 'https://graph.microsoft.com/v1.0' API to fetch the user's groups. It has no effect if 'groupsClaim' is not enabled.


*Optional

*Available since: 5.7.6

truefalse
useTokenExpirationAsSessionExpiration

If this flag is set to true, the applications session will expire when the authentication token expires.

If this flag is set to false (default) then the application will manage sessions as as normal.


*Optional

truefalse

Provider settings:

The OpenID Connect providers also have restrictions on which URLs are allowed to use the provider and where the provider is allowed to redirect to. The URL that the provider is redirecting to in our application is: <APPROOT>/v1/openIdConnect.

Logging:

For logging purpose, add in the log level view ( Configuration UI), the following package: 

  • Logger: com.valsight.authentication.openidconnect
  • Logger: com.valsight.services.sso.SSOService (since 5.7.0)
  • Level: DEBUG
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.