Generic OpenID Connect (OIDC) Identity Provider

The generic OIDC Identity Provider allows you to connect to any OIDC-compliant Identity Provider. To create a generic OIDC Identity Provider, you can access the Identity provider list on the Safewhere Admin portal and choose the Enterprise category.

create-a-new-generic-oidc-provider-select-category

Choose Generic OIDC provider

create-a-new-generic-oidc-provider-select-connection

Configuration

After saving the new connection, access its Connection tab and update its settings.

create-a-new-generic-oidc-provider-connection-connection-tab

  • Client ID (App ID): The client ID that is provided by the Identity Provider that you want to connect to.
  • Client secret: The client secret that is provided by the Identity Provider that you want to connect to.

You can either enter all endpoints manually or enter the provider's /.well-known/openid-configuration metadata endpoint to the Fetch all endpoints from URL setting and click the icon on the right to have all endpoints filled in automatically.

create-a-new-generic-oidc-provider-connection-connection-tab-fetch

You can also access the Permission tab to customize required permissions as well as additional permissions. Default value of the Required permissions setting is openid.

create-a-new-generic-oidc-provider-connection-permissions-tab

Known issues

If your Identify instance is connecting to an OIDC Identity Provider which is in fact another Identify instance using version 5.8 or below, its OIDC endpoint https://#identify_instance_domain#/runtime/oauth2/.well-known/openid-configuration is not accessible from the clientside due to the CORS policy:

create-a-new-generic-oidc-provider-fetch-know-issues

A workaround for this issue is to add the configuration block below to the Runtime's web.config of the Identify instance to which you need to connect: