Settings on the OpenID Connect (OIDC) tab (pictured below) specify the configuration that allows the On-Premise License Server to access information stored in the authentication server.
The On-Premise License Manager implements the authorization code flow and needs to obtain client id and client secret so users can log in with the OIDC identity provider (IDP).
Note
The License Manager must be configured as an application on the OIDC identity provider (IDP) side, for example, Okta. Use the callback URL displayed in the OIDC settings as the redirect URI.
client ID and client secret are unique identifiers that will be used to authenticate the On-Premise License Manager with your OIDC server.
By configuring OIDC:
License administrators can assign license seats to users by users’ names.
Your teammates can log into the Licensing Portal using their OIDC credentials.
Here are definitions for the values requested in the configuration fields:
Option | Description |
|---|---|
Name | Descriptive name of the configuration |
URL | OIDC server URL |
Use PKCE | Toggle the switch to use the PKCE-enhanced Authorization Code Flow. For more information, see Authorization Code Flow with Proof Key for Code Exchange (PKCE) from Okta. |
Client ID | Unique identifier for the On-Premise License Manager on the OIDC server. |
Client secret | Unique string paired with the Client ID value for the On-Premise License Manager on the OIDC server. |
Scope | Scopes are permissions that your application will need to access user data. You will need to add openid, profile. In some environments, the email scope will also be required. The OIDC server will only grant the scopes that you have requested. |
User Name | Specifies the name of the claim in the JWT token that contains the user's username. This can include email and name. |
JWT group claim name | Specifies the name of the claim in the JWT token that contains the list of groups the user belongs to. |
Group Filter Enabled | Toggle the switch to use group filtering and manage access control based on the group membership. Enable the switch to view the details. |
User Group Filter | This option contains the names of groups that designate a user as a regular user. Only users who belong to at least one of these groups are granted access to the system. |
Admin Group Filter | A list of group names that identify users as administrators. |
Callback URL to be registered on the OIDC server | Use this URL as the redirect URI in the OIDC server settings. |
Note
The filters in OIDC settings apply only to users authenticated via the OIDC server. Service accounts do not have groups assigned.
Test your configuration
After configuring the OIDC method, the button shows on the login page. Users must use this button to log in.
 |
For more information on Open Connect ID, see How Open ID Connect Works.