Adding an OAuth2 Domain
You can add more than one OAuth2 domain to TDV Server, provided each of those domains has a unique name. The names “dynamic” and “composite” are reserved domain names in the TDV system.
To add an OAuth2 domain
| 1. | Launch Manager. |
| 2. | From the SECURITY tab, choose Domain Management. |
| 3. | Click Add Domain. |
| 4. | Enter the Domain Name. The domain name will be part of the login. |
When the process of adding the domain is complete, this name is displayed in the Domain Name column and as part of the login (lower case only).
| 5. | Specify the domain type as OAuth2. |
| 6. | The table below describes the different fields in the New Domain window for the OAuth2 Domain. The values for some of the fields are available in the metadata that your IdP provides when you register TDV as an application. Refer to TDV to IdP Field Mapping for more information about the IdP specific fields. |
|
Field |
Description |
|
Domain Name |
The name of the domain. |
|
Domain Type |
Type of the domain. Choose OAuth2 to create an OAuth2 domain. |
|
Issuer Value |
Issuer indicates who issues the OAuth tokens. It typically matches with the value that appears in the oauth discovery url (For example, https://xyz-374535.okta.com/well-known/openid-configuration) It is a unique value in a TDV domain and therefore you cannot create two domains with the same issuer value. This is a required field. |
|
User ID Claim |
This is an optional field. However, entering the keyword "preferred_username" in this field will enable the user to login to the TDV applications (TDB Web UI, Studio and Manager) using the user name tied to the OAuth account. |
|
Issuer Claim |
Indicates the domain binding claim name. If this is not set, “iss” is the default value. This field is used to receive tokens that do not carry an “iss” claim. |
|
Validation |
The method used for validating the token. If set to AUTO, the order of validation is JWKS, Public Key and then Secret. JWKS - JSON Web Key Set endpoint contains information about public keys. The public keys are used to verify the JSON Web Token (bearer token) issued by the authorization server. Public Key - This is the authorization server’s Public Key. Public keys are in JSON Web Key (JWK) format and is used to verify the bearer token issued by the authorization server. Secret - The Secret is part of the signature in the bearer token. The signature is a hash generated by a cryptographic algorithm looking at the header and payload. The hash will be used to verify that the token created by the authorization server has not been tampered. |
|
Claim Info |
JSON: The specific Claim as a name and value pair in JSON format, for which you can assign privileges and define rules and policies to access the published TDV resources. Multiple Claims can be given as comma-separated. The Claim values can also be in an array. URL: The Claim Info Endpoint is an OAuth2 protected resource that returns Claims about the authenticated End-User. |
|
Allow OAuth login via TDV tools |
Check this option if you need to use an OAuth login to access the TDV tools (Currently supported in TDV Studio, Web Manager and Web UI). If you check this option, then you must provide the following properties: |
|
Auth URL |
This is the authorization URL. This is part of the endpoint metadata. |
|
Token URL |
This is the token URL. This is part of the endpoint metadata. |
|
Client Secret |
The client secret is provided by your Identity Provider. Contact your organization’s administrator to find the Client Secret. |
|
Client ID |
The client id is provided by your Identity Provider. Contact your organization’s administrator to find the Client Id. |
|
Audience Url |
The audience Url is provided by your Identity provider (Provided by the IDP Auth0). |
| Scope |
Authorization scope, which is typically limited to the protected resources under the control of the client or as arranged with the authorization server (IdP). Limited scope is necessary for an authorization grant. Format: one or more strings, separated by spaces. In the IdP, scopes are defined when registering an application (TDV). This is usually done by your organization's administrator. TDV requires ‘openid’ scope at minimum and this is the default value when scope field is empty in TDV domain config. |
|
Annotation |
This is an optional description for the domain. |
| 7. | Click OK. |