The EAM application needs to be configured to capture the metadata related to the OpenID Connect client and the claim names that are transmitted in the ID token generated. As part of the configuration, the values of the following fields on the SSO Configuration screen must be updated in the EAM application. This section assumes the OpenID Client is configured in ADFS as described in the previous sections.
-
From the ADFS Management console, navigate to ADFS > Service > End Points.
-
Scroll down and select the OpenID Connect Discovery end point.
-
Open a browser and access the following URL:
<protocol>://<AD FS Server URL>/<OpenID Connect Discovery End Point obtained from the previous step> (example: https://adfsserver.com/adfs/.well-known/openid-configuration).
-
The URL will display OpenID Connect metadata in JSON format in the browser.
-
From the metadata displayed, perform the following:
-
Copy the value of the issuer and set it as the value of the Issuer field on the SSO Configuration screen of the EAM Application.
-
Copy the value of the jwks_uri and set it as the value of the JWKS URI field on the SSO Configuration screen of the EAM Application.
-
-
From the configuring OpenID Connect confidential/public client in AD FS sections, copy the client ID automatically generated by AD FS and set it as the value of the Client ID field on the SSO Configuration screen of the EAM application.
-
Set the value of the following fields on the SSO Configuration screen of the EAM application to provide a mapping between the claim names present in the ID token and the fields on the SSO Configuration screen. The configuration assumes that the custom claims have been configured as mentioned in the Configuring custom claims for the OpenID Connect client in AD FS section for the Confidential client.
Confidential Client:
Field Name on the SSO Configuration Screen
Field Value
Identity Claim
unique_name
UPN Claim
upn
Tenant Claim
http://schemas.hexagon.com/claims/Tenant
Role Claim
http://schemas.hexagon.com/claims/SecurityRole
Email Claim
email
User Description Claim
commonname
Public Client:
Field Name on the SSO Configuration Screen
Field Value
Identity Claim
unique_name
UPN Claim
upn
-
The fields Issuer, Client ID, and JWKS URI on the SSO Configuration screen should be mandatory configured for OpenID Connect authentication.
-
Not all the fields related to configuring the claim names mentioned in the above table are mandatory for a successful authentication using the OpenID Connect ID token. The minimum required claims are at least one of either the Identity claim or the UPN claim for authenticating an existing user in the EAM application. The value of the claims from the ID token that are mapped to the fields Identify Claim, UPN Claim should match with either the usr_code or the usr_externcode of a record in the r5users table for successful authentication.
If the user in the ID token does not already exist in the EAM application, then the ROLE claim is also required, along with the other minimum required claims mentioned previously for the user to be created in the EAM application. The user ID created will have the following values for the externcode (usr_externcode) and the usercode (usr_code) columns in the r5users table.
-
The externcode column will be populated as follows based on the value of the claim value in the ID token.
-
If the value of the claim mapped to the field, UPN Claim, is not blank, then that will be set as externcode.
-
Else, the value of the claim mapped to the field, Identity Claim, will be set as the externcode.
-
-
The usercode column will be populated as follows based on the value of the claim value in the ID token.
-
If the value of the claim mapped to the field, Identity Claim, is not blank and does not exceed 80 characters, it will be set as usercode.
-
Else, if the value of the claim mapped to the field, UPN Claim, is not blank and does not exceed 80 characters, it will be set as usercode.
-
Else, a randomly generated number will be set as the usercode.
-
-
All the field values described in this section, except for the JWKS URI, are case
sensitive.