Search
K

Integrations

OIDC

Connect to your identity provider using OpenId Connect

OpenId Connect is a modern authentication protocol supporting various scenarios including Web and Mobile.

If your identity provider supports authentication via OpenId Connect (OIDC) then you're ready to provide a seamless user authentication for all CHG-MERIDIAN applications.

Configuration

CHG IdentityProvider

To start integrating your identity provider you need following information from CHG IdentityProvider

  • Login redirect URI
    The location where authentication response is sent to.
  • Logout redirect URL (optional)*
    The location where a request is sent to clear the user's session data. This is required for single sign-out to work correctly.

Your IdentityProvider

Following information is required to integrate your identity provider

  • Domain name
    The domain part of the user's email address in order to associate the user names with your identity provider.
  • Authority
    URL to your identity provider.
  • Client Id
    Unique identifier
  • Client secret (only required if your identity provider not support PKCE)
    Secret key used to authenticate the client (CHG IdentityProvider).
  • Additional scopes
    Additional scopes might be required for additional user attributes

Additional attributes

  • sub required
    Contains the unique identifier for a user in the federated login provider. It is used to link CHG-MERIDIAN specific identity to the external IdentityProvider.
    Accepted alternatives:
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  • email required
    Contains the email address of the user.
    Accepted alternatives:
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier only if it contains a valid email
  • preferred_username
    Contains the users prefered username. Fallback is the users email address if none is provided.
    Accepted alternatives:
    • name
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • given_name
    Contains the users given name.
    Accepted alternatives:
    • FirstName
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • family_name
    Contains the users family name.
    Accepted alternatives:
    • LastName
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • nickname
    Can be used as fallback for the name that is displayed for the user. It's only used if the name claim is empty and no first and last name can be found.
  • generic other attributes
    If the external identity provider sends other attributes than the ones mentioned above the CHG IdentityProvider will forward them to authenticated client applications but will not store them. Please keep those attributes to a minimum to avoid hitting limits of the used protocols such as header sizes or similar. Also this avoids distributing the users information to multiple systems unnecessarily.