webMethods and Intelligent Business Operations 10.2 | API Gateway User's Guide | API Gateway Administration | Security Configuration | OpenID Provider | Adding an OpenID Provider
 
Adding an OpenID Provider
Pre-requisites:
You must have the API Gateway's manage security configurations functional privilege assigned to add an OpenID provider.
Before you create an OpenID Connect (OIDC) identity provider in API Gateway, you must register API Gateway with the OpenID provider to receive a client ID and client secret. The client ID and client secret are the unique identifiers that are issued when API Gateway is registered with the OpenID provider. You must also specify a redirect URL that allows the OpenID provider to allow users to authenticate.
You can create and manage an OpenID provider using the OpenID provider configuration screen in API Gateway.
* To add an OpenID provider
1. Select Username > Administration.
2. Select Security > OpenID provider.
3. Click Add OpenID provider.
4. Provide the following information:
Field
Description
Name
Name of an OpenID provider.
API Gateway supports OpenID Connect (OIDC) identity tokens provided a standards-compliant OpenID provider. For example, Google, Salesforce.
OpenID Connect discovery URL
The discovery endpoint of OpenID Connect.
Note: When the discovery URL is specified, some of the fields are automatically populated with data provided in the URL.
Token issuer endpoint
The endpoint URL of an OpenID token issuer used by API Gateway.
Token endpoint
The endpoint URL of OpenID Provider's token (id_token) through which the client application exchanges the authorization code, client ID, and client secret, obtain ID tokens and refresh tokens.
Authorization endpoint
The endpoint URL through which API Gateway authenticates and grants authorization to client applications.
Scope
The specific set of end user identity information to include as claims in the ID tokens.
Userinfo endpoint
Optional. The endpoint URL through which API Gateway retrieves the end user identity information to include as claims in the ID tokens.
Include userinfo claims
Optional. Select the check box if you want to include the end user identity information as claims in the ID tokens.
Note: Some of the OpenID Providers do not include the complete end user information in the ID tokens. In such cases, you could use this Include userinfo claims check box to include the complete user information. API Gateway generates a secondary ID token that includes the required user information as claims. The token also includes the application ID, and primary ID token, if client has specified the application ID in the GET OpenID token request to API Gateway. As a pre-requisite, you must have the JWT settings configured in API Gateway. For information about configuring JWT settings in API Gateway, see Configuring API Gateway to use JWT.
JSON Web Key endpoint
The endpoint URL of JSON Web Key Signature (JWKS) through which API Gateway verifies and validates the signature of ID tokens.
Truststore alias
Specify the Truststore alias, which can be used to verify the signature of an OpenID token from public certificates when the JSON Web Key endpoint is not specified.
Response type
The authorization grant type to obtain authorization codes, ID tokens, and refresh tokens.
Supported values:
*code
*id_token
*token id_token
*id_token token
The value code indicates the authorization grant type is code, and an authorization code is returned in the response to obtain ID tokens and refresh tokens.
The values id_token, token id_token, id_token token and indicate the grant type is implicit, and the ID tokens are directly sent to the client.
Token endpoint authentication method
The client authentication method that API Gateway will use to communicate with the OpenID provider to fetch the ID token in exchange of an authorization code.
Supported values:
*client_secret_basic
*client_secret_post
Display
Optional. The display type of user interface for end user authentication and consent flow.
Supported values:
*none
*page
*popup
*touch
*wap
Prompt
Optional. The display type of user interface prompt for end user reauthentication and consent flow.
Supported values:
*none
*login
*consent
*select_account
Client id
An identifier that is unique to the client application.
Client secret
The password or phrase for the client application to use to authorize communication with the end user.
Redirect hostname
The host name of the redirect endpoint of API Gateway that is configured in the OpenID Provider.
Redirect port
The port number on which the redirect endpoint is listening for requests.
Max age
Optional. The duration of time (in seconds) in which the end user must have been authenticated. If this time has expired, the OpenID provider must re-authenticate the end user.
Locale
Optional. The display language of the user interface for end user authentication and consent flow.
5. Click Add.
The OpenID provider is added. You can add as many providers as required, but only one is the default at any given time.

Copyright © 2015- 2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release