OpenID Connect | PRA

Name: Enter a unique name to help identify your provider.

Enabled: If checked, your appliance can search this security provider when a user attempts to log in to the access console or /login. If unchecked, this provider will not be searched.

Associated email domains: This setting applies only when more than one OIDC provider is active. Otherwise, it is ignored.

Enter the email domains you want to associate with this OIDC provider, one per line. During authentication, users enter their email address, and the domain is checked against this list. If it matches, they are redirected to the corresponding identity provider for authentication.

If multiple OIDC providers are configured and the user’s email domain does not match any provider’s associated domains, the user will not be allowed to authenticate.

Server certificate: This is the certificate used for validating the response's signature. The certificate is usually provided by the metadata.

Provider settings

• OIDC endpoint: The root address where the OIDC metadata can be found with /.well-known/openid-configuration appended. Any http protocol and trailing slashes will be removed.

• Client ID: The unique identifier for the identity provider you are using.

• Client secret: Provide a new shared secret so your appliance and your OIDC server can communicate.

User attribute settings

• Username: The OIDC attribute that contains the user's unique username or login ID.
• E-mail: The SAML attribute that contains the user's email address.
• Display name: The SAML attribute that contains the user's display name.

Authorization settings

• Lookup groups using this provider: Enabling this feature allows faster provisioning by automatically looking up groups for this user, using Group lookup attribute name and Delimiter. We recommend enabling this feature. If not used, OIDC users must be manually assigned to group policies after their first successful authentication.

• Group lookup attribute name: Enter the name of the OIDC attribute that contains the names of groups to which users should belong. If the attribute value contains multiple group names, then specify the Delimiter used to separate their names. If left blank, OIDC users must be manually assigned to group policies after their first successful authentication.

• Delimiter: If this field is left blank, then the attribute value may contain multiple XML nodes, with each one containing a different name.

• Available groups: This is an optional list of OIDC groups always available to be manually assigned to group policies. If left blank, a given OIDC group is made available only after the first successful authentication of a user member of such group. Enter one group name per line.

• Default group policy: Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

  If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

  ℹ️

  If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.