config-oidc

Configures authentication using OpenID Connect.

config-oidc 
[-c value | --configuration=value] 
[-b value | --bootstrap-config=value] 
[-e <true|false> | --enabled=<true|false>] 
[-s | --set-provider] 
[-r | --remove-provider] 
[-n value | --provider-name=value] 
[--provider-enabled=<true|false>] 
[--provider-discovery-url=value] 
[--provider-client-id=value] 
[--provider-client-secret=value] 
[--provider-domain-name=value] 
[--provider-username-claim=value] 
[--provider-id-token-signing-alg=value] 
[--provider-id-token-signature-verification-disabled=<true|false>] 
[--provider-token-endpoint-auth-method=value] 
{-Svalue} 
[--provider-auth-request-prompt-value=value] 
[--provider-bg-color=value] 

Overview

Use this command to configure authentication against one or more external providers using OpenID Connect. Authentication using OpenID Connect may be combined with username/password-based authentication and/or custom web authentication.

Options

Option Optional or Required Default Value Description
-c value
--configuration=value
Optional configuration.xml The path to the server configuration file.
-b value
--bootstrap-config=value
Optional none The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file.
-e <true|false>
--enabled=<true|false>
Optional true Specifies whether OpenID Connect should be enabled.
-s 
--set-provider
Optional none Indicates that a provider configuration should be set (will replace the configuration for any existing provider with the same name). Cannot be specified together with --remove-provider.
-r
--remove-provider
Optional none Indicates that a provider configuration should be removed. Cannot be specified together with --set-provider.
-n value
--provider-name=value
This argument is optional unless either --set-provider or --remove-provider has been specified. none The name of the provider to set or remove. Normally displayed to end users on the login page.
--provider-enabled=<true|false>
This argument is optional unless --set-provider has been specified. true Specifies whether the provider should be enabled.
--provider-discovery-url=value
This argument is optional unless --set-provider has been specified. none The URL to the provider's OpenID Connect Discovery document.
--provider-client-id=value
This argument is optional unless --set-provider has been specified. false The client ID given by the provider during registration.
--provider-client-secret=value
This argument is optional unless --set-provider has been specified. none The client secret given by the provider during registration.
--provider-domain-name=value
Optional By default the value of the 'issuer' claim is used. The domain name to assign to the authenticated users.
--provider-username-claim=value
Optional sub The name of the claim to use as username for the authenticated users. May for example be 'email', but note that only 'sub' is guaranteed to be a unique and stable identifier.
--provider-id-token-signing-alg=value
Optional By default all algorithms listed as supported in the Discovery Document will be accepted. The ID token signature algorithm to expect.
--provider-id-token-signature-verification-disabled=<true|false>
Optional false Indicates that signature verification of ID tokens should be disabled. This should normally only be specified if the provider does not sign the ID tokens.
--provider-token-endpoint-auth-method=value
Optional By default one of the algorithms listed as supported in the Discovery Document will be used. The authentication method to use when communicating with the provider's Token Endpoint. May be one of 'client_secret_basic', 'client_secret_post' and 'client_secret_jwt' ('private_key_jwt' is not supported).
-Svalue
Optional openid, profile, email A scope to include in the authentication request (besides 'openid' that will always be included). This argument may be specified multiple times with different values.
--provider-auth-request-prompt-value=value
Optional By default the parameter will be omitted from the request. The value to give the 'prompt' request parameter when making the authentication request. Controls how the provider prompts the end user. May be one of 'none', 'login', 'consent', or 'select_account'.
--provider-bg-color=value
Optional none The normal background color of the provider's button on the login page (when applicable), as a hexadecimal color value.