OIDC
Single Sign-On (SSO) with OpenID Connect (OIDC) is a modern authentication and authorization protocol that builds on top of the OAuth 2.0 framework. OIDC allows users to log in to multiple applications and websites using a single set of credentials (such as username and password) while providing secure authentication.
OIDC Authentication Protocol is used by Microsoft Azure AD, Amazon Cognito Service, and OKTA. Switch to the Admin Portal and follow the below instructions to configure the OIDC authentication protocol in Wyn Enterprise,
Navigate to Configuration >> System Configurations >> SSO Settings and select the OIDC option from the Authentication Protocol dropdown.
Add the OIDC settings that appear in the SSO Settings tab. The OIDC authentication settings are listed and described below.
Setting | Description | Values |
|---|---|---|
Authentication Protocol | Authentication Protocol parameter is used to specify the protocol used to authenticate users for SSO. | None, CAS, OIDC, OAUTH |
Scheme | Scheme parameter is an identifier of the authentication provider. | CAS, MicrosoftAzureAD, AWSCognitor, MyTestingIdentityProvider, etc. |
Disabled | Disabled parameter is used to disable the SSO function. | True or False. The Default value is False. |
Allow Incognizant User | Allow Incognizant User parameter is used to allow users not existing in the Wyn Enterprise application to log in to the application. | True or False |
Enable SLO | Enable SLO is used to enable or disable a single logout feature when users log out from the Wyn Enterprise application. By default, this value is set to True. | True or False |
Authority | Authority parameter is the service endpoint URL used to request tokens from the authentication service provider. | Domain URL of your authentication service provider. |
Metadata Address | The URL of your server where metadata is obtained will be added to the Metadata Address. | https://{yourDomain}/.well-known/openid-configuration |
Client Id | Client Id parameter specifies the public identifier for the user required for OAuth flows. | For Amazon Incognito, values are available in your user pool. For OKTA, values are available in your OKTA app settings. |
Client Secret | Client Secret parameter specifies a secret code used by the user to exchange an authorization code for a token. ClientSecret should be kept confidential. | For Amazon Incognito, values are available in your user pool. For OKTA, values are available in your OKTA app settings. |
Callback Path | Callback parameter specifies a base URL where the IDP response is sent upon user authentication. Callback parameter is used in the SSO configuration settings with Amazon Cognito Service. | Redirect URI specified in the AWS app settings or the default value is /signin-oidc. |
Scopes | Scope parameter is used to customize data requests to a third-party application. | For OKTA: openid, profile, and email. For AWS: openid, profile, email, and phone. |
Response Type | Response types return the items that are fetched upon successful authentication. | code, token, id_token |
Response Mode | Response modes determine how the resulting parameters are returned by the authorization server from the authorization endpoint. | form_post, reponse_mode, fragment, query, |
Get User Claims | Get User Claims property is used to find the user claims. By default, this property is set to True. | True or Flase |
Save Tokens | Save Tokens property is used to save the tokens. By default, this property is set to True. | True or Flase |
Use Pkce | Proof of Key for Code Exchange is an extension to the authorization code flow to securely perform the OIDC exchange from public clients. | True or False |
Claim Mappings | Claims are used to determine the authenticated users' information such as name, phone number, email, roles, etc.. A claim mapping item consists of a Key and a Value where the Key represents the user context in Wyn Enterprise, and the Value represents the user context from the authentication provider. Click the + Add Claim button to add claims and set the Key and Value fields. | id, profile, status, transitioningtostatus, created, activated, statuschanged, lastlogin, lastupdated, passwordchanged, type, realm, realmid, password, credentials, _links, _embedded, class, classloader, custom_name |
You can also manually configure the OIDC Single Sign-on settings for Microsoft Azure AD, Amazon Cognito Service, and OKTA using the Wyn.conf file located in the Wyn system folder. See the Microsoft Azure AD, Amazon Cognito Service, OKTA help article for more information on the manual configuration of OIDC Authentication Protocol for SSO in Wyn Enterprise.