This documentation applies to Adxstudio Portals 7.0.0020 and later versions.

OpenID Connect external identity providers are services that conform to the Open ID Connect specifications. Integrating a provider involves locating the authority (or issuer) URL associated with the provider. A configuration URL can be determined from the authority which supplies metadata required during the authentication workflow. The provider settings are based on the properties of the OpenIdConnectAuthenticationOptions class.

Examples of authority URLs are:

Each OpenID Connect provider also involves registering an application (similar to that of an OAuth 2.0 provider) and obtaining a Client Id. The authority URL and the generated application Client Id are the settings required to enable external authentication between the portal and the identity provider.

The Google OpenID Connect endpoint is currently not supported since the underlying libraries are still in the early stages of release with compatibility issues to address. The Google OAuth 2.0 endpoint can be used instead.

Azure Active Directory

To get started sign into the Azure Management Portal and create or select an existing directory. When a directory is available follow the instructions to add an application to the directory.

  • Under the Applications menu of the directory, click the Add button
  • Choose Add an application my organization is developing
  • Specify a custom name for the application and choose the type web application and/or web API
  • For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields https://portal.contoso.com/ 
  • At this point, a new application is created. Navigate to the Configure section in the menu
    • Under the single sign-on section, update the first Reply URL entry to include a path in the URL http://portal.contoso.com/signin-azure-ad
    • This corresponds to the RedirectUri site setting value
    • Under the properties section, locate the client ID field. This corresponds to the ClientId site setting value.
  • In the footer menu click the View Endpoints button and note the Federation Metadata Document field
    • The left portion of the URL is the Authority value and is in one of the following formats:
      • https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/
      • https://login.microsoftonline.com/contoso.onmicrosoft.com/
    • To get the service configuration URL, replace the FederationMetadata/2007-06/FederationMetadata.xml path tail with the path .well-known/openid-configuration
    • This corresponds to the MetadataAddress site setting value

Create Site Settings

Apply portal site settings referencing the above application.

A standard Azure AD configuration only uses the following settings (with example values):

  • Authentication/OpenIdConnect/AzureAD/Authority - https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/
  • Authentication/OpenIdConnect/AzureAD/ClientId - fedcba98-7654-3210-fedc-ba9876543210
    • Note, the Client ID and the authority URL do not contain the same value and should be retrieved separately.
  • Authentication/OpenIdConnect/AzureAD/RedirectUri - https://portal.contoso.com/signin-azure-ad

Multiple identity providers can be configured by substituting a label for the [provider] tag. Each unique label forms a group of settings related to an identity provider. Examples: AzureAD, MyIdP

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled

Enables or disables external account sign-in and registration. Default:true

Authentication/OpenIdConnect/[provider]/Authority Required. The Authority to use when making OpenIdConnect calls. Example:https://login.windows.net/contoso.onmicrosoft.com/MSDN.
Authentication/OpenIdConnect/[provider]/MetadataAddress The discovery endpoint for obtaining metadata. Commonly ending with the path:/.well-known/openid-configuration . Example:https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configurationMSDN.
Authentication/OpenIdConnect/[provider]/AuthenticationType The OWIN authentication middleware type. Specify the value of the issuer in the service configuration metadata. Example:https://sts.windows.net/contoso.onmicrosoft.com/.  MSDN.
Authentication/OpenIdConnect/[provider]/ClientId Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key". MSDN.
Authentication/OpenIdConnect/[provider]/ClientSecret The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret". MSDN.
Authentication/OpenIdConnect/[provider]/RedirectUri Recommended. The AD FS WS-Federation passive endpoint. Example:https://portal.contoso.com/signin-saml2.  MSDN.
Authentication/OpenIdConnect/[provider]/Caption Recommended. The text that the user can display on a sign in user interface. Default: [provider]MSDN.
Authentication/OpenIdConnect/[provider]/Resource The 'resource'. MSDN.
Authentication/OpenIdConnect/[provider]/ResponseType The 'response_type'. MSDN.
Authentication/OpenIdConnect/[provider]/Scope A space separated list of permissions to request. Default: openidMSDN.
Authentication/OpenIdConnect/[provider]/CallbackPath An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri. MSDN.
Authentication/OpenIdConnect/[provider]/BackchannelTimeout Timeout value for back channel communications. Example: 00:05:00 (5 mins). MSDN.
Authentication/OpenIdConnect/[provider]/RefreshOnIssuerKeyNotFound Determines if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. MSDN.
Authentication/OpenIdConnect/[provider]/UseTokenLifetime Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. MSDN.
Authentication/OpenIdConnect/[provider]/AuthenticationMode The OWIN authentication middleware mode. MSDN.
Authentication/OpenIdConnect/[provider]/SignInAsAuthenticationType The AuthenticationType used when creating the System.Security.Claims.ClaimsIdentity. MSDN.
Authentication/OpenIdConnect/[provider]/PostLogoutRedirectUri The 'post_logout_redirect_uri'. MSDN.
Authentication/OpenIdConnect/[provider]/ValidAudiences Comma separated list of audience URLs. MSDN.
Authentication/OpenIdConnect/[provider]/ValidIssuers Comma separated list of issuer URLs. MSDN.
Authentication/OpenIdConnect/[provider]/ClockSkew The clock skew to apply when validating times. MSDN.
Authentication/OpenIdConnect/[provider]/NameClaimType The claim type used by the ClaimsIdentity to store the name claim. MSDN.
Authentication/OpenIdConnect/[provider]/RoleClaimType The claim type used by the ClaimsIdentity to store the role claim. MSDN.
Authentication/OpenIdConnect/[provider]/RequireExpirationTime A value indicating whether tokens must have an 'expiration' value. MSDN.
Authentication/OpenIdConnect/[provider]/RequireSignedTokens A value indicating whether a System.IdentityModel.Tokens.SecurityToken can be valid if not signed. MSDN.
Authentication/OpenIdConnect/[provider]/SaveSigninToken A boolean to control if the original token is saved when a session is created. MSDN.
Authentication/OpenIdConnect/[provider]/ValidateActor A value indicating whether the System.IdentityModel.Tokens.JwtSecurityToken.Actor should be validated. MSDN.
Authentication/OpenIdConnect/[provider]/ValidateAudience A boolean to control if the audience will be validated during token validation. MSDN.
Authentication/OpenIdConnect/[provider]/ValidateIssuer A boolean to control if the issuer will be validated during token validation. MSDN.
Authentication/OpenIdConnect/[provider]/ValidateLifetime A boolean to control if the lifetime will be validated during token validation. MSDN.
Authentication/OpenIdConnect/[provider]/ValidateIssuerSigningKey A boolean that controls if validation of the System.IdentityModel.Tokens.SecurityKey that signed the securityToken is called. MSDN.