TIBCO Spotfire® Server and Environment - Installation and Administration

config-oidc

Configures authentication using OpenID Connect.

config-oidc 
[-c value | --configuration=value] 
[-b value | --bootstrap-config=value] 
[-e <true|false> | --enabled=<true|false>]
[--third-party-login-init-enabled=<true|false>]
[-s | --set-provider] 
[-r | --remove-provider] 
[-n value | --provider-name=value] 
[--provider-enabled=<true|false>] 
[--provider-discovery-url=value] 
[--provider-client-id=value] 
[--provider-client-secret=value] 
[--provider-domain-option=value] 
[--provider-domain-name=value] 
[--provider-username-claim=value] 
[--provider-display-name-claim=value] 
[--provider-email-claim=value] 
[--provider-domain-claim=value] 
[--provider-id-token-signing-alg=value] 
[--provider-id-token-signature-verification-disabled=<true|false>] 
[--provider-token-endpoint-auth-method=value] 
{-Svalue} 
[--provider-auth-request-prompt-value=value] 
[--provider-clear-custom-params] 
{-Pkey=value} 
[--provider-bg-color=value] 

Overview

Use this command to configure authentication against one or more external providers using OpenID Connect. Authentication using OpenID Connect may be combined with username/password-based authentication and/or custom web authentication.

Options

Option Optional or Required Default Value Description
-c value
--configuration=value
Optional configuration.xml The path to the server configuration file.
-b value
--bootstrap-config=value
Optional none The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file.
-e <true|false>
--enabled=<true|false>
Optional true Specifies whether OpenID Connect should be enabled.
-s 
--set-provider
Optional none Indicates that a provider configuration should be set (replaces the configuration for any existing provider with the same name). Cannot be specified together with --remove-provider.
--third-party-login-init-enabled=<true|false>
Optional true Specifies whether Third Party Login Initiation should be enabled.
-r
--remove-provider
Optional none Indicates that a provider configuration should be removed. Cannot be specified together with --set-provider.
-n value
--provider-name=value
This argument is optional unless either --set-provider or --remove-provider has been specified. none The name of the provider to set or remove. Normally displayed to end users on the login page.
--provider-enabled=<true|false>
This argument is optional unless --set-provider has been specified. true Specifies whether the provider should be enabled.
--provider-discovery-url=value
This argument is optional unless --set-provider has been specified. none The URL to the provider's OpenID Connect Discovery document.
--provider-client-id=value
This argument is optional unless --set-provider has been specified. none The client ID given by the provider during registration.
--provider-client-secret=value
This argument is optional unless --set-provider has been specified. none The client secret given by the provider during registration.
--provider-domain-option=value
Optional use_domain_claim The way the domain of authenticated users will be established. Can be one of the following.
  • use_domain_claim
  • use_static_domain
  • parse_username_claim
--provider-domain-name=value
This argument is optional unless the value of the --provider-domain-option is 'use_static_domain'. By default the value of the 'issuer' claim is used. The domain name to assign to the authenticated users.
--provider-username-claim=value
Optional sub The name of the claim to use as username for the authenticated users. Can be email, for example. The name of the claim is case sensitive.
Note: Only sub is guaranteed to be a unique and stable identifier.
--provider-display-name-claim=value
Optional name The name of the claim to use as the display name for the authenticated users. The name of the claim is case sensitive.
--provider-email-claim=value
Optional By default, all algorithms listed as supported in the Discovery Document will be accepted. The name of the claim to use as email address for the authenticated users. The name of the claim is case sensitive.
--provider-username-claim=value
Optional sub The name of the claim to use as username for the authenticated users. Can be email, for example.
Note: Only sub is guaranteed to be a unique and stable identifier.
--provider-id-token-signing-alg=value
Optional By default, all algorithms listed as supported in the Discovery Document will be accepted. The ID token signature algorithm to expect.
--provider-id-token-signature-verification-disabled=<true|false>
Optional false Indicates that signature verification of ID tokens should be disabled. This should normally only be specified if the provider does not sign the ID tokens.
--provider-token-endpoint-auth-method=value
Optional By default one of the algorithms listed as supported in the Discovery Document will be used. The authentication method to use when communicating with the provider's Token Endpoint. Can be one of the following.
  • client_secret_basic
  • client_secret_post
  • client_secret_jwt
private_key_jwt is not supported.
-Svalue
Optional openid, profile, email A scope to include in the authentication request (besides openid, that is always included). This argument can be specified multiple times with different values.
--provider-auth-request-prompt-value=value
Optional By default the parameter will be omitted from the request. The value to give the prompt request parameter when making the authentication request. Controls how the provider prompts the end user. May be one of the following.
  • none
  • login
  • consent
  • select_account
--provider-clear-custom-params
Optional none Custom parameters are cleared from the provider configuration. This flag can be used together with the -Pkey flag to remove all old custom parameters before adding the new.
-Pkey=value
Optional none A custom parameter included in the authentication request. Must not be any of the parameters controlled through other settings (such as scope or prompt). Can be specified multiple times with different keys.
--provider-bg-color=value
Optional none The background color of the provider's button on the login page (when applicable), as a hexadecimal color value.