Configuring client authentication in OpenID Connect - To confirm the validity of a client application, you can configure client authentication. This process ensures that the client application is legitimate and authorized to interact with Security Center. - Security Center 5.13

Security Center Administrator Guide 5.13
Product
Security Center
Content type
Guides > Administrator guides
Version
5.13
ft:locale
en-US
Last updated
2025-04-16

To confirm the validity of a client application, you can configure client authentication. This process ensures that the client application is legitimate and authorized to interact with Security Center.

What you should know

You can authenticate a client application in one of the following ways:
Client Secret
A confidential password issued by the identity provider when Security Center is registered as a confidential client.
Certificate
Certificates serve as a secret to verify the application's identity during the sign in process.
NOTE: In Security Center, client authentication is available only for the OpenID Connect protocol.
Whenever possible, use certificate credentials instead of client secrets, as certificate credentials offer several advantages:
  • The risk of client impersonation is reduced because the signing is done internally or by a trusted authority.
  • The identity provider doesn't need to store client credentials, such as client secrets or private keys.
  • The expiration of the client assertion is controllable.
  • The client must prove it holds the private key by signing the client assertion.
Creating a role: Authentication Service window in Config Tool shows the client authentication methods.

Enabling Proof Key for Code Exchange (PKCE) helps prevent cross-site request forgery and authorization code injection attacks. Although PKCE isn't designed for client authentication, it ensures that the same client initiates the request and completes the authorization process after client authentication.

Procedure

To configure client authentication using a client secret:

  1. Prepare the identity provider application in Microsoft Entra ID or Okta.
    During the Microsoft Entra ID configuration, copy the client secret and keep it safe until the integration is complete. It’s impossible to retrieve a client secret from the Microsoft Entra ID configuration. If the secret is lost, you must generate a new one.
  2. In Config Tool, select the Authentication Service role created earlier and click Configuration.
  3. On the Client authentication page, turn on Confidential client to set Security Center as a confidential client of this identity provider.
  4. Select Client Secret from the list of client authentication methods.
  5. In the Client secret field, enter the client secret that was copied from the Certificates & secrets page during the Microsoft Entra ID configuration.
  6. Click Suspend > Save to exit the configuration or click Next to continue.

To configure client authentication with Microsoft Entra ID using a certificate

  1. Prepare the identity provider application in Microsoft Entra ID.
  2. In Config Tool, select the Authentication Service role created earlier and click Configuration.
  3. On the Client authentication page, turn on the Confidential client option to set Security Center as a confidential client of this identity provider.
  4. Select Certificate from the list of client authentication methods.
    The list of Directory Servers with an option to copy the certificate appears.
  5. Click the Copy Certificate button that corresponds to the main directory server.
  6. Click Copy certificate to file and save the file to your local computer.
  7. Go to the application page in Microsoft Entra ID, and click Manage > Certificates & secrets.
  8. In the Certificates tab, click Upload certificate.
  9. Select the certificate file, enter a description, and click Add.
    Microsoft Entra ID Portal shows the certificates credentials on the Certificates & secrets page.
  10. Return to the configuration wizard of the Authentication Service role in Config Tool.
  11. Click Verify current Directory certificate.
    NOTE: You can only verify the main directory certification, not the failover directories.
  12. Click Suspend > Save to exit the configuration or click Next to continue.

To configure client authentication with Okta using a certificate

  1. Prepare the identity provider application in Okta.
  2. In Config Tool, select the Authentication Service role created earlier and click Configuration.
  3. On the Client authentication page, turn on the Confidential client option to set Security Center as a confidential client of this identity provider.
  4. Select Certificate from the list of client authentication methods.
    The list of Directory Servers with an option to copy the certificate appears.
  5. Click the Copy Certificate button that corresponds to the main directory server.
  6. Click Copy certificate public key to clipboard.
  7. Go to the General page of your application in Okta, click Edit in the Client Credentials section, and select Public key / Private key as the client authentication method.
  8. In the PUBLIC KEYS section, select the Save keys in Okta option and click Add key.
  9. In the Add a public key window, paste the certificate public key and click Done.
  10. (Optional) Select the Require PKCE as additional verification option.
  11. Click Save.
    General page for web applications in the Okta Admin Console shows certificate credentials.
  12. Return to the configuration wizard of the Authentication Service role in Config Tool.
  13. Click Verify current Directory certificate.
    NOTE: You can only verify the main directory certification, not the failover directories.
  14. Click Suspend > Save to exit the configuration or click Next to continue.
Parent topic: Integration overview for third-party authentication using OpenID Connect
Browse