config-oidc
Configures authentication using OpenID Connect.
config-oidc
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
[-e <true|false> | --enabled=<true|false>]
[--third-party-login-init-enabled=<true|false>]
[--rp-initiated-logout-enabled=<true|false>]
[--back-channel-logout-enabled=<true|false>]
[--front-channel-logout-enabled=<true|false>]
[--front-channel-logout-session-required=<true|false>]
[-s | --set-provider]
[-r | --remove-provider]
[-n value | --provider-name=value]
[--provider-enabled=<true|false>]
[--provider-discovery-url=value]
[--provider-client-id=value]
[--provider-client-secret=value]
[--provider-domain-option=value]
[--provider-domain-name=value]
[--provider-username-claim=value]
[--provider-display-name-claim=value]
[--provider-email-claim=value]
[--provider-domain-claim=value]
[--provider-id-token-signing-alg=value]
[--provider-id-token-signature-verification-disabled=<true|false>]
[--provider-token-endpoint-auth-method=value]
{-Svalue}
[--provider-auth-request-prompt-value=value]
[--provider-clear-custom-params]
{-Pkey=value}
[--provider-bg-color=value]
Overview
Use this command to configure authentication against one or more external providers using OpenID Connect. Authentication using OpenID Connect may be combined with username/password-based authentication and/or custom web authentication.
Options
Option | Optional or Required | Default Value | Description |
---|---|---|---|
|
Optional | configuration.xml | The path to the server configuration file. |
|
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
|
Optional | true | Specifies whether OpenID Connect should be enabled. |
|
Optional | true | Specifies whether Third Party Login Initiation should be enabled. |
|
Optional | false | Specifies whether RP-Initiated
Logout should be enabled. If enabled, then web users logging out from Spotfire
are also logged out from the provider (if the provider supports it). Note: The End-Session Post Logout Redirect URI must be registered with the
provider to use this feature.
|
|
Optional | false |
Specifies whether Back-Channel Logout should be enabled. If enabled, then users logging out from the provider can also be logged out from Spotfire (if the provider supports it). |
|
Optional | false |
Specifies whether Front-Channel Logout should be enabled. If enabled, then web users logging out from the provider can also be logged out from Spotfire (if the provider supports it). |
|
Optional | true |
Specifies whether the 'iss' (issuer) and 'sid' (session ID) query parameters must be included in Front-Channel Logout requests. |
|
Optional | none | Indicates that a provider configuration
should be set (replaces the configuration for any existing provider with the
same name). Cannot be specified together with
--remove-provider .
|
|
Optional | none | Indicates that a provider configuration
should be removed. Cannot be specified together with
--set-provider .
|
|
This argument is optional unless either
--set-provider or
--remove-provider has been specified.
|
none | The name of the provider to set or remove. Normally displayed to end users on the login page. |
|
This argument is optional unless
--set-provider has been specified.
|
true | Specifies whether the provider should be enabled. |
|
This argument is optional unless
--set-provider has been specified.
|
none | The URL to the provider's OpenID Connect Discovery document. |
|
This argument is optional unless
--set-provider has been specified.
|
none | The client ID given by the provider during registration. |
|
This argument is optional unless
--set-provider has been specified.
|
none | The client secret given by the provider during registration. |
|
Optional | use_domain_claim | The way the domain of authenticated users
will be established. Can be one of the following.
|
|
This argument is optional unless the value
of the
--provider-domain-option is
'use_static_domain'.
|
By default the value of the 'issuer' claim is used. | The domain name to assign to the authenticated users. |
|
Optional | sub | The name of the claim to use as username
for the authenticated users. Can be
email , for example. The name of the claim is
case sensitive.
Note: Only
sub is guaranteed to be a unique and stable
identifier.
|
|
Optional | name | The name of the claim to use as the display name for the authenticated users. The name of the claim is case sensitive. |
|
Optional | By default, all algorithms listed as supported in the Discovery Document will be accepted. | The name of the claim to use as email address for the authenticated users. The name of the claim is case sensitive. |
| Optional | 'iss' | The name of the claim to use as the domain name for the authenticated users. The name of the claim is case-sensitive. Can be specified only if the value of the --provider-domain-option is 'use_domain_claim' . |
|
Optional | sub | The name of the claim to use as username
for the authenticated users. Can be
email , for example.
Note: Only
sub is guaranteed to be a unique and stable
identifier.
|
|
Optional | By default, all algorithms listed as supported in the Discovery Document will be accepted. | The ID token signature algorithm to expect. |
|
Optional | false | Indicates that signature verification of ID tokens should be disabled. This should normally only be specified if the provider does not sign the ID tokens. |
|
Optional | By default one of the algorithms listed as supported in the Discovery Document will be used. | The authentication method to use when
communicating with the provider's Token Endpoint. Can be one of the following.
private_key_jwt is not supported.
|
|
Optional | openid ,
profile ,
email
|
A scope to include in the authentication
request (besides
openid , which is always included). This
argument can be specified multiple times with different values.
|
|
Optional | By default, the parameter is omitted from the request. | The value to give the
prompt request parameter when making the
authentication request. Controls how the provider prompts the end user. Can be
one of the following.
The value |
|
Optional | none | Custom parameters are cleared from the
provider configuration. This flag can be used together with the
-Pkey flag to remove all old custom parameters
before adding the new.
|
|
Optional | none | A custom parameter included in the
authentication request. Must not be any of the parameters controlled through
other settings (such as
scope or
prompt ). Can be specified multiple times with
different keys.
|
|
Optional | none | The background color of the provider's button on the login page (when applicable), as a hexadecimal color value. |