System Options: External Authentication
| Option | Description |
|---|---|
| Discovery URL | A URL of an OIDC provider that provides a list of metadata such as endpoints and other data. |
| Client Id | This is a credential from the OIDC provider that establishes the authorization integration.
|
| Client Secret | Enter the client secret if available. |
| Redirect URL | The URL that receives responses from the OpenID Connect (OIDC) provider. This field is optional. If it is left empty, Data Entry constructs the redirect URL from the server-base URL. In addition, the user can override this URL with an entry in Data Entry's web.config if there is any potential problem in network configuration or multiple Data Entry servers. |
| Default Group | A group that is assigned to users in the OIDC directory if there are no permissions derived from the groups claim. |
| Use groups claim | This option is to map the value of groups claim in an ID token to EM groups. When you select this checkbox, it overrides the Default Group. |
| Domain account mappings | Enable mapping to domain accounts in Enterprise. If you enable this option, Enterprise tries to map an idToken to a domain account by using the claims userName, login, sAMAccountName or objectSid. The userName and login would have to be in UPN format. The sAMAccountName would be in DOMAIN\username format. The objectSid is a Windows SID. |
| Use Email Addresses as Login Name | You can now use email addresses as the login names. If you enable this option, Active Directory converts the email claim to DOMAIN\username. If it is successful, the DOMAIN\username is mapped to a domain account in Enterprise. This option will be used only when the claims userName , login , sAMAccountName or objectSid fails to map to a user. |
| Use PKCE | Select the Use PKCE checkbox to use the PKCE security feature. |
| Bypass login page | Select the Bypass login page checkbox to skip the standard Data Entry login page and navigate directly to the OIDC provider login page. |
| Sign out on the exit | Select the Sign out on the exit checkbox to log out of the Identity Service by logging out in Web Data Entry. |
| Validate endpoints | Select the Validate endpoints option to enforce the protocol endpoints are on the same DNS name as the authority. |
Configuring a Data Entry Server to use OpenID Connect (OIDC)
Users can configure a Data Entry Server by adding an entry in web.config and the name of the configuration. An example is
<add key="ExternalLoginConfiguration" value="Data Entry Server 1"/>
Users can also specify a separate configuration to obtain electronic signatures than the one used to log in. The value should be either the name of the new configuration or, if using the Okta API to authenticate users, the value of UseOktaAPI.
For example
<add key="ElectronicSignatureConfiguration" value="Data Entry Server 1 - Password only"/>
Or
<add key="ElectronicSignatureConfiguration" value="UseOktaAPI "/>
.NET 4.6.1 is required for External Authentication. To enable this, edit this key-value pair from:
<compilation debug="false" strict="false" explicit="true" targetFramework="4.0">
to
compilation debug="false" strict="false" explicit="true" targetFramework="4.6.1">