How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration
Article ID: KB0076302
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.8 and higher |
Description
With OpenID Connect authentication is enabled, we can look up the available claims using the resolution provided below. This essential setting specifies the username claim that may fetch the appropriate username from the authentication source when using LDAP as the user directory.
Issue/Introduction
This article will provide information about how to look up the supported claims that are very essential to match when using LDAP as the user directory and the TIBCO Spotfire Server is configured to use OpenID Connect.
Resolution
By default Spotfire uses the value of the sub claim as username when authenticating using OpenID Connect. It is however possible to configure some other claim to be used instead but this currently only works if that claim is present in the User Info Endpoint. Below are few possible ways to find the claims supported in the ID token and UserInfo Endpoint:
2. You may enable TRACE logging and perform an OIDC authentication and look for entries like these in the logs. You can find a claim that the provider makes available from the UserInfo endpoint and then configure that claim as username claim.
- Supported claims will be seen in the discovery document URL with which you can verify. Discovery document URL looks something like this "https://IDPservername/.well-known/openid-configuration":
{"issuer":"https://oktapreview.com","authorization_endpoint":"https://oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-464575.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2. You may enable TRACE logging and perform an OIDC authentication and look for entries like these in the logs. You can find a claim that the provider makes available from the UserInfo endpoint and then configure that claim as username claim.
Claims available in the ID Token response: <list of claims>
Claims available in the UserInfo Endpoint response: <list of claims>
TRACE 2017-05-31T06:40:06,236+0200 [unknown, #8, #116] auth.oidc.OidcAuthenticator: Claims available in the ID Token response: [at_hash, sub, ver, amr, iss, preferred_username, nonce, aud, idp, auth_time, name, exp, iat, email, jti]
Additional Information
External: OpenID Connect Specification
Doc: Configuring OpenID Connect
Feedback
Yes
No
Powered by
