Entering ID provider data in the user administration

You have the option to store login data for identity providers in the user administration.

Key values are already preconfigured for the following identity providers:

  • Microsoft Azure

  • Keycloak

  • Okta

  • Google

Step-by-step guide

Proceed as follows to store login data for identity providers in the user administration:

  1. Start the "User" module.

  2. Select the "Configuration" entry in the "User" menu.

    The "User manager configuration" dialog box is displayed.

  3. Under "Web", click on the icon.

    The "Binding: Web" dialog box is displayed.

  4. Activate the "OAuth2 authentication" option ().

  5. Click on the icon (Add provider)().

    The "Select provider" dialog box is displayed.

  6. Select the desired provider or select the "User-defined" tile.

  7. Click on "Next".

  8. The "Configure provider" dialog box is displayed for the previously selected provider.

    In the dialog window, the values known for the respective provider are already preassigned in whole or in part.

    Provider settings

    Name

    Enter a name for the provider configuration here. The name has to be unique. You can overwrite the name preassigned by Intrexx.

    Client ID

    Enter the client ID here. You must obtain this from the ID provider. See the Client ID and Client Secret sections for more information.

    Client secret

    Enter the client secret here. You must obtain this from the ID provider. See the Client ID and Client Secret sections for more information.

    Scope

    The provider's scope must be stored here. The value is preset by Intrexx.

    You can (also) obtain the value from the ID provider. See the REST-API endpoints section for more information.

    Access Token URL

    The access token URL of the provider must be stored here. The value is preassigned by Intrexx for some providers completely and for some providers partially.

    If the value is partially pre-assigned, it contains variables whose value you must obtain from the provider. (For Microsoft Azure, this is the "Tenant ID".) See the REST API endpoints section.

    User Auth URL

    The user auth URL for authorization with the provider must be stored here. The value is preassigned by Intrexx for some providers completely and for some providers partially.

    If the value is partially pre-assigned, it contains variables whose value you must obtain from the provider. (For Microsoft Azure, this is the "Tenant ID".) See the REST API endpoints section.

    Public Key Source

    The "public key source", the URL for the provider's public keys, must be stored here. The value is preassigned by Intrexx for some providers completely and for some providers partially.

    If the value is partially pre-assigned, it contains variables whose value you must obtain from the provider. (For Microsoft Azure, this is the "Tenant ID".) See the REST API endpoints section.

    User Info URL

    The "User info URL", the URL for the user information endpoint, can be stored here. The field can be empty. It is pre-assigned with the appropriate value from Intrexx, if the value is required. If the value is partially pre-assigned, it contains variables whose value you must obtain from the provider.

    Redirect URL

    The "Redirect URL" must be stored here. It is preset by Intrexx. The redirect URL is made up of the base URL of your portal and the following components: "/oauth2/login/<provider name>"

    Please refer to the section Storing a redirect URL.

    Mapping

    When authentication data (ID token) is transmitted from the ID provider to Intrexx, Intrexx performs a mapping between the user at the ID provider and in the Intrexx user administration.
    The users are mapped using a unique field (attribute) both in the ID provider and Intrexx (master user data field). Typically the user's email address is used for this. It is important that the values in the selected user master data field are unique. If several users are determined using a token value, the login is aborted with an error.

    Intrexx presets the mapping with the provider field name "email" and the database field "Business email".

    Provider field name

    You must obtain the provider field name from the provider.

    Database field

    For database fields, data fields of the type String can be selected. User-defined data fields are also available for selection. Intrexx presets the mapping with the provider field name ""Email"" and the database field ""Business email"".

    Enable user registration

    After successful login, a new Intrexx user can optionally be registered if it does not yet exist, or an existing Intrexx user can be changed. Groovy scripts are required for execution and these can be configured via the web binding dialog.

    Detailed information on this can be found in the section Enable user registration.

    Nonce required

    Here you can specify whether the provider requires a nonce ("number used once").

    You can find out whether the provider requires a nonce from the provider. The value is preset by Intrexx.

    Additional redirect parameters

    You have the option to store additional redirect parameters. These are each composed of a key and a value. Intrexx presets redirect parameters if necessary.

    1. Click on the icon.

      The "Additional redirect parameters" dialog box is displayed.

    2. Click on the icon.

      The "Add parameter" dialog box is displayed.

    3. Enter the key and its value here.

    4. Click on "OK".

      You return to the "Additional redirect parameters" dialog box.

    5. Click on "OK".

      You will return to the "Configure provider" dialog box.

    Login button on the web

    Title

    Enter the text to be displayed on the button here.

    Style class

    Enter the name of the style class to be used for the login button.

    Intrexx presets the style class with "Button_Standard".

    User-defined style classes can be defined in the "Layout" module.

    Show on the web

    Here you can specify whether or not the login button should be displayed on the web.

    (Hiding the button may be useful, for example, during a test phase or when a provider is temporarily unavailable.)

    Place provider icon on the login button

    You have the option of placing the provider's icon or another icon on the login button. You can find detailed information on this in the section Customize login button for identity provider.

  9. Click on "Finish".

More information