Generic OpenID Connect (OIDC) Identity Provider

The generic OIDC Identity Provider allows you to connect to any OIDC-compliant Identity Provider. To create a generic OIDC Identity Provider, you can access the Identity provider list on the Safewhere Admin portal and choose the Enterprise category.

Choose Generic OIDC provider.

create-a-new-generic-oidc-provider-select-connection.png

Configuration

After saving the new connection, access its Connection tab and update its settings.

create-a-new-generic-oidc-provider-connection-connection-tab.png

Client ID (App ID): The client ID that is provided by the Identity Provider that you want to connect to.
Client secret: The client secret that is provided by the Identity Provider that you want to connect to.

You can either enter all endpoints manually or enter the provider's /.well-known/openid-configuration metadata endpoint to the Fetch all endpoints from URL setting and click the icon on the right to have all endpoints filled in automatically.

create-a-new-generic-oidc-provider-connection-connection-tab-fetch.png

The Issuer setting is required for issuer validation to ensure security in login and logout processes. However, if the Fetch all endpoints from URL field contains a valid OIDC well-known configuration URL, Identify will use that configuration for token validation, overriding and ignoring the Issuer setting.

The User Information URL setting is optional. If provided, Identify will use this endpoint to retrieve user details and construct the corresponding identity. However, if the setting is not configured, Identify will rely on the responded Id token to establish the user identity.

Use PKCE: When enabled, the PKCE flow, which provides enhanced security, is used and includes the following:

The authorization request from Safewhere Identify to the upstream Identity Provider now includes the code_challenge and code_challenge_method parameters.
The code_challenge_method parameter is configurable, and can be set to either the S256 or plain method.
After receiving the authorization code, Safewhere Identify sends a token request to the Identity Provider with the code_verifier parameter. The length of the code_verifier is configurable and must be between 43 and 128 characters.

Note that this setting is also available for all other OAuth providers.

JWS algorithm: When set to None, Identify disables signature validation, allowing the received ID token to be processed without verification.

You can also access the Permission tab to customize required permissions as well as additional permissions. The default value of the Required permissions setting is openid.

create-a-new-generic-oidc-provider-connection-permissions-tab.png

Known issues

If your Identify instance is connecting to an OIDC Identity Provider, which is in fact another Identify instance running version 5.8 or below, its OIDC endpoint https://#identify_instance_domain#/runtime/oauth2/.well-known/openid-configuration is not accessible from the browser due to the CORS policy.

create-a-new-generic-oidc-provider-fetch-know-issues.png

A workaround for this issue is to add the following configuration block to web.config of the Runtime on the Identify instance to which you need to connect:

<location path="oauth2/.well-known/openid-configuration">
    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <add name="Access-Control-Allow-Origin" value="*" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>
  </location>