OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the end user based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the end user.
From Flow 6.12 the OpenID Connect configuration is used for Azure AD login.
This configuration is required also when using Azure AD.
Set up Studio
OpenID Connect is enabled in the Flow Studio.
Go to Environment -> OpenID Connect and select Enable.
Enter the configuration.
When OpenID is enabled the normal username/password login is disabled in the mobile clients (iOS, Android) and Windows client.
OpenID login will work for both synchronized users and manually entered users.
Authority address: Base URL for the identity provider
Client ID: Unique id for your application. Created in admin part of your identity provider.
Scope: OpenID Connect scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims.
Authentication flow: Implicit or Authorization Code.
Do not require authorization code hash: Check this for compatibility with certain IdPs. (Azure needs this checked)
Do not require access token hash: Check this for compatibility with certain IdPs. (Azure needs this checked)
Do not validate discovery endpoints: Check this for compatibility with certain IdPs. (Azure needs this checked)
Do not validate issuer name: Check this for compatibility with certain IdPs. (Azure needs this checked)
Username - Claim mapping key: The name of the claim from where to extract the flow user name. IdP specific. Example: email, upn, unique_name.
Exclude domain: Check this if the flow user in synchronized or entered without domain.
Extra query Params: JSON formatted. Is used to send extra params.
Clock skew: To compensate time differences between server and client (Default is 360 (s)).
EphemeralBrowserSession: iOS-specific setting (iOS13 or more) - Check this if cookies are to be cleared between logins. If they are not cleared the user is signed in directly which can cause problems if the device is used by more than one user.
Allow user password login - tick if users are to be able to login with OpenID and Flow password.
Native applications (Android, iOS, UWP)
The url callback for native applications needs to be set to: ncflow://openid