ITAM Auth - OIDC

This module is very similar to other OIDC methods like Azure, Okta, AD FS, PingIdentity, etc, but can be used with any generic OpenID Connect provider and has nothing specific to the other modules.  You will also want to review the general Auth Module document for more information on authentication as a topic.

Because this authentication is handed off to the provider, it offers full SSO and MFA support per the provider configuration.

Generally speaking, you will want to enable Use Authorization Code Flow. If there is a problem, you can disable this as a test of falling back to another code flow method.

Account Name Style is partially cosmetic but can have a functional impact. This allows you to set how the account is displayed in the Web UI upper corner, as well as how it is recorded in logs, and shows in the Account list in the platform. This can be important to avoid collisions. If you use Full Name for example and two people are John Smith, we have an issue. But if you use UPN Without Domain and that results in  jasmith and jbsmith, then there is no issue because those are unique names for account records.

The Label is arbitrary and will be displayed on the login page. In General using the name of the service (e.g. Google or Azure) as the label is expected.

The Redirect URL should always be https://[your.keyserver.hostname]/sso

Configuration

This module is generic for any non specific OIDC service. Results are not guaranteed as it's generic and not specific (like Azure, etc), so for example group queries may not work. We are always interested in adding functionality so contact support if you're having difficulties. As an example, before we added a DUO specific module that service might look like this:

Note in this case DUO calls the one field "Discovery URL" and it is in URL syntax. As shown above, our Discovery host/path does not use the URL syntax, just the host and path (i.e. remove https://).

Again, specifics are left to the individual site as this is a generic module.  We are happy to assist with reading logs for troubleshooting the connection.