OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the end user based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the end user.

Set up Studio

Requirements

OpenID Connect is enabled in the Flow Studio.

1. Go to Environment -> OpenID Connect and select Enable.

2. Enter the configuration.

3. Save.

When OpenID is enabled the normal username/password login is disabled in the mobile clients (iOS, Android) and Windows client.

OpenID login will work for both synchronized users and manually entered users.

Configuration

• Authority address: Base URL for the identity provider

• Client ID: Unique id for your application. Created in admin part of your identity provider.

• Scope: OpenID Connect scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. Some IdPs require special scopes, for example when using Azure AD you must include the ?user.read? scope.

• Authentication flow: Hybrid or Authorization Code.

• Do not require authorization code hash: Check this for compatibility with certain IdPs. (Azure needs this checked)

• Do not require access token hash: Check this for compatibility with certain IdPs. (Azure needs this checked)

• Do not validate discovery endpoints: Check this for compatibility with certain IdPs. (Azure needs this checked)

• Do not validate issuer name: Check this for compatibility with certain IdPs. (Azure needs this checked)

• Username - Claim mapping key: The name of the claim from where to extract the flow user name. IdP specific. Example: email, upn, unique_name.

• Exclude domain: Check this if the flow user in synchronized or entered without domain.