Configuring OpenID Connect authentication

You can configure the BMC Helix Single Sign-On server to authenticate end users through the OpenID Connect authentication method.


Before you begin

Add a realm for the OpenID Connect authentication and configure its general settings. Learn how to add and configure realms in Adding-and-configuring-realms.

Related topics

OpenID-Connect-authentication

Transforming User ID to match Login

Enabling-AR-authentication-for-bypassing-other-authentication-methods

To configure OpenID Connect authentication

  1. Log in to the BMC Helix SSO Admin Console.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
  3. From the Authentication Type list, select OIDC.
  4. To import OpenID Connect provider information, click Import.

  5. Complete the OpenID Connect Discovery URL or Issuer field, and click Import

    The following fields get prepopulated:

    Field

    Description

    Issuer

    URL that the OpenID Connect provider asserts as its Issuer Identifier.

    Authorization URL

    URL of the OpenID Connect provider's Authorization Endpoint.

    Token URL

    URL of the OpenID Connect provider's Token Endpoint.

    UserInfo URL

    URL of the OpenID Connect provider's UserInfo Endpoint.

    JWKS URI

    URL of the OpenID Connect provider's JSON Web Key Set (JWK) document.

    End Session URL

    URL of the End Session Endpoint.

    6. On the Authentication tab, configure the remaining fields:

Fields on the Authentication tab

Field

Description

Client ID

Registers the client application on the OpenID Connect provider side.

Client Secret

Identifies the client application.

When the BMC Helix SSO server is registered as a client on the OpenID Connect provider side, the OpenID Connect provider generates and provides the client ID and client secret values.

Scope

A space or comma-separated list of scopes indicating the required scope of the access token from the OpenID Connect provider.

RSSO Server URL

URL of the BMC Helix SSO server.

RSSO Callback URL

This is a read-only field.

Prompt

The authorization server prompts the user for a required action. Select one of the following options from the list:

  • none: Does not display any authentication or consent user interface pages. The authorization server returns an error if an end user is not already authenticated or if the client does not have a pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. The error code will typically be one of the following codes:
    - login_required
    - interaction_required
    - account_selection_required
    - consent_required
    - invalid_request_uri
    - invalid_request_object
    - request_not_supported
    - request_uri_not_supported
    - registration_not_supported
    This can be used as a method to check for existing authentication or consent.
  • login: Prompts the end user for reauthentication. If the authorization server cannot reauthenticate the end user, it returns an error, typically login_required.
  • consent: Prompts the end user for consent before returning information to the client. If the authorization server cannot obtain the consent, it returns an error, typically consent_required.
  • select_account: Prompts the end user to select a user account. This enables an end user who has multiple accounts at the authorization server to select an account that they might have current sessions for. If the authorization server cannot obtain an account selection choice made by the end user, it returns an error, typically account_selection_required.

User ID field name

User ID.

Client Authentication method

Identifies client's authentication method during registration. Available methods:

  • client_secret_basic
  • client_secret_post - the default one
  • client_secret_jwt

User ID Transformation

Option to transform User ID to match Login ID for the successful login procedure. It allows to modify User ID by the predefined transformation commands or a custom expression.

For more information, see Transforming-userID-to-match-login-ID.

Custom expression

Option to specify a custom value for the User ID transformation. For more information, see Transforming-userID-to-match-login-ID.

Groups Claim name

The name of the claim in id_token from which to extract end user groups.

Infinite session group

Option to provide a group name of users with the infinite sessions experience. For more information, see Configuring-infinite-user-sessions.

ALLOW-FROM Domain(s)

Setting allows BMC Helix SSO server to launch applications in iframes. For more information, see Allowing-BMC-Helix-SSO-to-open-applications-in-iframes.

7. Click Save.

Important

URLs to endpoints can include additional query parameters.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*