DC 6.1 OIDC: OpenID Connect

Owned by Leon Thorsell Simonsen
Last updated: Sept 30, 2024 by Tobias Thornfeldt Wolters
1 min read

OpenID Connect (OIDC) is configured a lot like AAD. You’ll need to provide 3 pieces of information:

  1. The authority: The URL for the authentication server, e.g., Azure.

  2. The ClientId: Provided by the authority. This is usually some random string.

  3. The ClientSecret: This too is provided by the authority. This is also a random string.

 

Once you have gathered the above, go to the MM’s SSO settings. Here, select “OpenIDConnect” as the method, and fill out the data.

As many OIDC providers are out there, we don’t provide documentation for any specific provider. This said we do need to be given an implicit grant of “ID Tokens”.

In addition to this, the OIDC provider will likely need the login service’s Redirect URL, which for OIDC is:

https://{damurl}/digizuitecore/loginservice/signin-oidc

 

SSO-initiated logout

When setting up the OpenID Connect SSO provider in MM, it is possible to tick enable the option Verify refresh tokens on access key refresh.

image-20240930-090203.png

If this option is enabled, a request will be sent to the SSO provider when the access key of user needs to be refreshed, checking if the user is still logged in. Enabling the Verify refresh tokens on access key refresh option therefore allows the SSO provider to initiate a user to be logged out or having all access rights revoked.

Please note:

  1. Since a network request has to be made to the SSO provider when refreshing an access key, refreshing an access key can take a bit longer.

  2. When a user is logged out via the SSO provider or has access rights revoked, the user has access until the access key is refreshed. The access key refresh interval is configurable: DC 6.1 Service configuration.