Configuring OpenID Connect authentication

You can configure Remedy Single Sign-On server to authenticate users through OpenID Connect (OIDC) authentication method.

Before you begin

Add a realm for OIDC authentication and configure its general settings. For more information on realm configuration, see Configuring realms.

To configure OpenID Connect authentication

1. Log in to Remedy SSO Admin Console.

2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.

3. From the Authentication Type drop down list, select OIDC.

4. To import OpenID Connect Provider information, click Import.

5. Complete the OIDC Discovery URL field, and click Import. 

   The following fields get prepopulated: 

   Field	Description
   Authorization URL	Returns an authorization code.
   Token URL	Exchanges previously received authorization code with an access token.
   UserInfo URL	Relates to the user who has currently logged in and is attained by using the access token.
   Scope	Returns different details about logged in user.
   Client ID	Registers the client application on the OpenID provider side.
   Client Secret	Identifies the client application. When Remedy SSO server is registered as a client on the OIDC provider site, the OIDC provider generates and provides the client ID and client secret values.
   RSSO Server URL	URL of the Remedy SSO server.
   Remedy SSO Callback URL	Enables a response from the OIDC provider.
   User ID field name	Identifies the user which will be used by Remedy SSO.

6. Configure the remaining fields on the Authentication tab:

   Field

   Description

   Prompt

   Prompts the user for a required action. Select one of the following options from the drop down list: none: The authorization server must not display any authentication or consent user interface pages. An error is returned if an end user is not already authenticated or if the client does not have a pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. The error code will typically be one of the following codes -  login_required, interaction_required, account_selection_required, consent_required, invalid_request_uri, invalid_request_object, request_not_supported, request_uri_not_supported, registration_not_supported. This can be used as a method to check for existing authentication and/or consent. login: The authorization server should prompt the end user for reauthentication. If it cannot reauthenticate the end user, it must return an error, typically login_required. consent: The authorization server should prompt the end user for consent before returning information to the client. If it cannot obtain the consent, it must return an error, typically consent_required. select_account: The authorization server should prompt the end user to select a user account. This enables an end user who has multiple accounts at the authorization server to select from the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the end user, it must return an error, typically account_selection_required.

7. Click Save.