Generic OpenID Connect (OIDC) Identity Provider

The generic OIDC Identity Provider allows you to connect to any OIDC-compliant Identity Provider. To create a generic OIDC Identity Provider, you can access the Identity provider list on the Safewhere Admin portal and choose the Enterprise category.

Choose Generic OIDC provider.

create-a-new-generic-oidc-provider-select-connection.png

Configuration

After saving the new connection, access its Connection tab and update its settings.

create-a-new-generic-oidc-provider-connection-connection-tab.png

Client ID (App ID): The client ID that is provided by the Identity Provider that you want to connect to.
Client secret: The client secret that is provided by the Identity Provider that you want to connect to.

You can either enter all endpoints manually or enter the provider's /.well-known/openid-configuration metadata endpoint to the Fetch all endpoints from URL setting and click the icon on the right to have all endpoints filled in automatically.

create-a-new-generic-oidc-provider-connection-connection-tab-fetch.png

You can also access the Permission tab to customize required permissions as well as additional permissions. The default value of the Required permissions setting is openid.

create-a-new-generic-oidc-provider-connection-permissions-tab.png

Use PKCE: When enabled, the PKCE flow, which provides enhanced security, is used and includes the following:
- The authorization request from Safewhere Identify to the upstream Identity Provider now includes the code_challenge and code_challenge_method parameters.
- The code_challenge_method parameter uses the S256 method.
- After receiving the authorization code, the token request from Safewhere Identify to the Identity Provider contains the code_verifier parameter.

Note that this setting is also available for all other OAuth providers.

Known issues

If your Identify instance is connecting to an OIDC Identity Provider, which is in fact another Identify instance running version 5.8 or below, its OIDC endpoint https://#identify_instance_domain#/runtime/oauth2/.well-known/openid-configuration is not accessible from the browser due to the CORS policy.

create-a-new-generic-oidc-provider-fetch-know-issues.png

A workaround for this issue is to add the following configuration block to web.config of the Runtime on the Identify instance to which you need to connect:

<location path="oauth2/.well-known/openid-configuration">
    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <add name="Access-Control-Allow-Origin" value="*" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>
  </location>