Authentication Service - Properties tab (OpenID) - Security Center 5.11

Security Center Administrator Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2024-07-05

You can configure an Authentication Service using the OpenID protocol from the Roles view of System task in Security Center Config Tool.

In the Properties tab, you can configure an OpenID identity provider for third-party authentication.

Protocol
Sets the authentication protocol to use with this identity provider. Changing the protocol migrates the Authentication Service configuration between OpenID and SAML2.
CAUTION:
Depending on the original configuration, migrating an Authentication Service role to another protocol might leave errors in the new configuration. After migrating, ensure that the new configuration is complete and accurate before using it.
Display name
Identifies this provider on the client logon screen. Each provider is presented as a button with the text "Sign in with <display name>".
Issuer
Secure URL (https) pointing to the provider's OpenID discovery document. This metadata file contains all necessary information to interact with the third-party identity provider, including endpoint locations and capabilities.
Domain names
A list of domain names associated with users who will connect to Security Center using this identity provider. Usernames that include one of these domains will automatically be redirected to the provider's logon screen.
Client ID
The client ID (also known as audience) is a unique identifier for Security Center that is issued by the identity provider when the application is registered.
Confidential client
This option is turned off by default. Turn it on to setup Security Center as a confidential client of this identity provider. Being a confidential client is more secure and is highly recommended. Confidential clients use a private client secret to identify themselves to the identity provider.
Client secret
Only displayed when Confidential client is switched on. The client secret is a confidential password issued by the identity provider when Security Center is registered as a confidential client.
Username claim
OpenID claim used by the identity provider to return the username of the authenticated party. Security Center requires a username to authorize access to the client.
Group claim
OpenID claim used by the identity provider to return the group memberships of the authenticated party. Security Center requires group membership to authorize access to the client.
Resource ID
ADFS only. URI containing the Relying Party Identifier for Security Center.
Audience
Keycloak only. Access tokens returned by Keycloak specify an audience that is different from the Client ID. That audience must be specified here.
Obtain claims from
Specifies where Security Center should obtain claims made by this identity provider. Claims can be obtained from an access token, UserInfo endpoint, or both.
Scopes
Azure AD only. The custom scopes defined for the Security Center application.
Custom parameters
If required, specify one or more custom parameters to send to this identity provider with every authentication request. Custom parameters are not defined by the OpenID protocol and are intended to meet the needs of non-standard configurations.
User groups
Add or remove Security Center user groups that are associated with this identity provider. If your identity provider can export a list of groups in CSV format, that list can be imported here. Groups missing from this list are not associated with the identity provider and will not be used to authorize incoming users.