Global Configuration – OpenID Connect (tab)

Determines if SSO to the Administration Web Interface via OpenID Connect providers is enabled.

Default value: Disabled

The endpoint that users are redirected to so they can perform the additional authentication as configured in the OIDC metadata. It usually depends on the application registration and whether the application supports single or multi tenancy. For example, for Microsoft Entra ID this is the OAuth 2.0 authorization endpoint determined by the application registration.

Example (Entra ID): https://login.microsoftonline.com/entra_tenant_id/oauth2/v2.0/authorize

Replace entra_tenant_id with the respective tenant ID in Microsoft Entra ID.

The token endpoint of the OIDC provider used by the client to obtain an ID token by presenting its authorization grant. It usually depends on the application registration and whether the application supports single or multi tenancy. For example, in Microsoft Entra ID this is the OAuth 2.0 token endpoint determined by the application registration.

Example (Entra ID): https://login.microsoftonline.com/entra_tenant_id/oauth2/v2.0/token

Replace entra_tenant_id with the respective tenant ID in Microsoft Entra ID.

The URL of the OpenID Connect public key endpoint as configured in the OIDC metadata used to retrieve the public keys required to verify signatures issued by the OIDC provider. It usually depends on the application registration and whether the application supports single or multi tenancy.

Example (Entra ID): https://login.microsoftonline.com/entra_tenant_id/discovery/v2.0/keys

Replace entra_tenant_id with the respective tenant ID in Microsoft Entra ID.

The URI that the OIDC provider redirects after users have authenticated successfully. This must also be configured in the OIDC provider. Since this is usually an endpoint provided by the Administration Web Interface, it does not necessarily need to be publicly accessible from the internet.

The callback URI is a pre-defined endpoint provided by the Administration Web Interface, usually:

https://webadmin_host:port/oidcCallback

Replace the following:

• webadmin_host. The host address (IP address, host name, or FQDN) of the Administration Web Interface instance.
• port. The network port that the Administration Web Interface listens, by default 8443.

Used to validate incoming ID tokens.

For Microsoft Entra ID, this is usually https://login.microsoftonline.com/entra_tenant_id/v2.0. Replace entra_tenant_id with the respective tenant ID in Microsoft Entra ID.

The payload claim in the ID token sent by the OIDC provider that should be used as the user ID when sending the authentication requests. For instance, this can be set to preferred_username, which in Microsoft Entra ID can be configured as an email address, phone number, or a generic username without a specified format.

The custom payload claim in the ID token sent by the OIDC provider that should be used to identify the user role template to be assigned to the user when signing in. The value can be a comma-separated list of roles, but only the first one found will be used. The user role is only used to create a user account if it does not exist yet.

Example: role

The user role that should be used if no role claim is sent by the OIDC provider.

Example: guest

The matching pattern to derive the actual user role template from the role claim. It is a good practice to prefix the user role templates so you can easily identify them. The {role} placeholder will be replaced with the actual value of the role claim or with the default role (if no role claim was received).

Example: ROLE_TEMPLATE_FOR_{role}

The application (client) ID that was generated when the it was registered in the OIDC provider.

A secret used by the client as authorization grant when it submits ID token requests to the OIDC provider. This is required for Microsoft Entra ID, there you can set this secret via App registrations > Certificates & secrets > Client secrets.