AuthnMethodOAuth

Description of the configuration object

A numeric weight to be assigned to this authentication method. You can create authorization conditions based on these assurance level weights.

The holder for common URL configurations of an authentication method.

Whether or not the authentication service correlates user accounts in the 'User Repository' upon successful validation of provided credentials. SAML assertion based authentication at SPs should consider unchecking depending on the underlying scenario.

Whether or not the authentication service considers validity metadata for example, account lifetime or locking state.

Whether or not the authentication service invokes the server-global subject attribute finder plug-in for this authentication method. This plug-in allows you to look up supplementary information about an authenticated user that is not part of the user account against which authentication was performed and is used when information about a single user is distributed across various repositories.

A value to be imprinted as SAML authentication context class reference when issuing SAML assertions for subjects that have been authenticated with this method. If the value is undefined, a default mapping to SAML-defined values is used.

Whether or not to generate the authentication-method-specific domain name in the format: authentication_id@authentication_method_id.

The domain identifier used for the names retrieved by this authentication method during the domain name resolution.

The domain name format used for the names retrieved by this authentication method during domain name resolution. The format may contain placeholders: #1 (replaced by the authentication identifier), and #2 (replaced by the domain identifier).

Whether or not the authentication identifier is hashed before it is included into the domain name.

To what extent is the user correlation with an existing user record in user repository for this authentication method forced. This element has priority over the Do correlate user accounts element.

Reference to authentication method of the same type to share the credentials and credential-specific configuration with. If null, this method works with its own configuration and set of credentials for each user. For every authentication method the domain name configuration is being resolved which is then used during unique name resolution. Specifics for some methods are:

Indicates whether Just-in-Time (JIT) provisioning of user records to the application repository is enabled. If enabled, a user record is automatically created in the application repository after successful authentication if it does not already exist. If disabled, authentication will not trigger the creation of a new user record if one does not exist.

A unique URI describing corresponding protected resource. The parameter is compared during the access_token validation against the audience element of the OAuth access_token (using a strict string equivalence). From this reason, the URI MUST be unique within the scope of trusted OAuth Authorization Servers.

References to the metadata of trusted OAuth 2.0 Authorization Servers. The metadata are used during the JWT validation process claims comparison and signature verification.

The name of the User Profile attribute that should be used for correlation between the User Profile objects and user accounts from the DirX Access User Repository.

The name of the LDAP attribute that should be used for correlation between objects from the User Profile Release Endpoint (OAuth Resource Server) and user accounts from the DirX Access User Repository.

Whether or not this authentication method enforces the internal subject to be part of an SSO session or not. If true, any request bound to this authentication method (typically via the PEP) takes the data about the requestor from the JWT and does not perform the traditional SSO in the sense that:

Whether or not to imprint roles from the OAuth token into the roles assigned to internal subject.

Whether or not to imprint groups from the OAuth token into the groups assigned to internal subject.

References to cryptographic material containers. The containers serve as truststore for signature verification certificates and keystore for encryption keys.

Whether or not to require the JWTs to be signed.

Whether or not to require the JWTs to be encrypted.

Whether or not to match the groups in OAuth token with the Groups saved in the application repository. If true, the groups passed in the JWT claims set will be matched against groups in application repository and roles from these groups willbe imprinted into the server subject. If false, the roles will be only resolved from the JWT. In order for the groups to be resolved successfully, only the name of the groups should be sent in the token. If recursive group membership resolution is enabled in Subject Template, the parent groups and their roles will also be resolved and added to the Server Subject.

The format of the roles in the JWT. It is used to format the roles with the Domain Name to different the roles from the token from those saved in the user record in user or application repository.

Domain name assigned to any group resolved from the OAuth token consumed by this authentication method. This parameter enables to ensure uniqueness of groups from different sources (e.g., user repository and third-party IdPs).

Domain-specific format assigned to any group resolved from the OAuth token consumed by this authentication method. The format may contain placeholders: #1 (replaced by the authentication identifier), and #2 (replaced by the domain identifier). This parameter enables to ensure uniqueness of groups from different sources (e.g., user repository and third-party IdPs).