Configuring OpenID Connect Authentication for Web Login

When configuring web login, you can configure authentication through an external OpenID Connect (OIDC) Identity Provider.

To set up the OpenID Connect authentication for web login:

1. In Workbench in Project Explorer, expand your project > Security > Global Settings and go to the Web Login tab.

2. In the Authentication section in Type, select OpenID Connect, and then complete the additional settings specific to this type.

   Setting	Description
   Redirect URL Logout Redirect URL	Informational only; the values are required when setting up the external OIDC Identity Provider.
   Issuer URL	Enter the base URL of the external OIDC provider's endpoints.
   Client ID	Enter the OIDC/OAuth Client identifier.
   Client Secret	Enter the client secret, if required. It is stored in the database in an obfuscated form and can be easily reverted to plain text.
   Use PKCE	Select the checkbox to use the Proof Key for Code Exchange for authentication.
   Prompt	(Optional) Select an OIDC protocol parameter that instructs the identity provider to re-prompt the user for some information. Learn more

3. Complete the settings in the OIDC Authentication User Mapping section, and then click Apply.

   • OIDC scope to request—Select the desired scope.

     The drop-down list contains common scopes defined by the OIDC standard, but Identity Providers can define their own. By default, Security only requests the openid scope. However, you can specify additional scopes here (even multiple, space delimited).

   • Use this OIDC claim—Specifies what information to extract from the OIDC tokens when mapping to existing users. Servers are likely to define their own claims, but a list of standard ones can be found here: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
   • Find existing user by—Select the parameter of the GENESIS user settings to which the claim should be mapped. Learn more