You can configure an Authentication Service using the OpenID protocol from the Roles view of System task in Security Center Config Tool.
On the Properties page, you can configure an OpenID identity provider for third-party authentication.
- Protocol
- Sets the authentication protocol to use with this identity
provider. Changing the protocol migrates the Authentication Service configuration
between OpenID and SAML2.CAUTION:Depending on the original configuration, migrating an Authentication Service role to another protocol might leave errors in the new configuration. After migrating, ensure that the new configuration is complete and accurate before using it.
- Display name
- Identifies this provider on the client logon screen. Each provider is presented as a button with the text "Sign in with <display name>".
- Issuer
- Secure URL (HTTPS) pointing to the provider's OpenID discovery document. This metadata file contains all necessary information to interact with the third-party identity provider, including endpoint locations and capabilities.
- Default provider
- This option is turned off by default. Turn it on to use this identity provider for user authentication from all domains. If you have multiple Authentication Service roles, only one role can be set as the default provider, and this option is disabled for all other roles.
- Domain names
- Only shown when Default provider is turned off. A list of domain names associated with users who can connect to Security Center using this identity provider. Usernames that include one of these domains will automatically be redirected to the provider's logon screen.
- Client ID
- The client ID (also known as audience) is a unique identifier for Security Center that is issued by the identity provider when the application is registered.
- Confidential client
- This option is turned off by default. Turn it on to set up Security Center as a confidential client of this identity provider. Being a confidential client is more secure and is highly recommended. Confidential clients use a private client secret to identify themselves to the identity provider.
- Client secret
- Only shown when Confidential client is turned on. The client secret is a confidential password issued by the identity provider when Security Center is registered as a confidential client.
- Username claim
- OpenID claim used by the identity provider to return the username of the authenticated party. Security Center requires a username to authorize access to the client.
- Group claim
- OpenID claim used by the identity provider to return the group memberships of the authenticated party. Security Center requires group membership to authorize access to the client.
- Resource ID
- ADFS only. URI containing the Relying Party Identifier for Security Center.
- Audience
- Keycloak only. Access tokens returned by Keycloak specify an audience that is different from the Client ID. That audience must be specified here.
- Obtain claims from
- Specifies where Security Center should obtain claims made by this identity provider. Claims can be obtained from an access token, UserInfo endpoint, or both.
- Request offline access
- Requests offline access scope to the Security Center application.
- Scopes
- The custom scopes defined for the Security Center application.
- Custom parameters
- If required, specify one or more custom parameters to send to this identity provider with every authentication request. Custom parameters are not defined by the OpenID protocol and are intended to meet the needs of non-standard configurations.
- User groups
- Add or remove Security Center user groups that are associated with this identity provider. If your identity provider can export a list of groups in CSV format, that list can be imported here. Groups missing from this list are not associated with the identity provider and will not be used to authorize incoming users.