With OpenID Connect authentication is enabled, we can look up the available claims using the resolution provided below. This essential setting specifies the username claim that may fetch the appropriate username from the authentication source when using LDAP as the user directory.

By default Spotfire uses the value of the sub claim as username when authenticating using OpenID Connect. It is however possible to configure some other claim to be used instead but this currently only works if that claim is present in the User Info Endpoint. Below are few possible ways to find the claims supported in the ID token and UserInfo Endpoint:

1.  Supported claims will be seen in the discovery document URL with which you can verify. Discovery document URL looks something like this "https://IDPservername/.well-known/openid-configuration":

{"issuer":"https://oktapreview.com","authorization_endpoint":"https://oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-464575.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}

       2. You may enable TRACE logging and perform an OIDC authentication and look for entries like these in the logs. You can find a claim that the provider makes available from the UserInfo endpoint and then configure that claim as username claim.
 

   Claims available in the ID Token response: <list of claims>
   Claims available in the UserInfo Endpoint response: <list of claims>

TRACE 2017-05-31T06:40:06,236+0200 [unknown, #8, #116] auth.oidc.OidcAuthenticator: Claims available in the ID Token response: [at_hash, sub, ver, amr, iss, preferred_username, nonce, aud, idp, auth_time, name, exp, iat, email, jti]

This article will provide information about how to look up the supported claims that are very essential to match when using LDAP as the user directory and the TIBCO Spotfire Server is configured to use OpenID Connect.

External: OpenID Connect Specification

• https://openid.net/specs/openid-connect-core-1_0.html

Doc: Configuring OpenID Connect

• https://docs.tibco.com/pub/spotfire_server/10.3.5/doc/html/TIB_sfire_server_tsas_admin_help/GUID-74323530-6878-4741-A50E-22EDC233A2C0.html