OIDC settings reference
The settings in an Open ID Connect portal authentication implementation are important to configure correctly.
Understand what each setting means before completing the Portal authentication using OIDC instructions.
Discovery URL
Your OIDC provider’s discovery URL, typically ending in /.well-known/openid-configuration.
Obtain this URL from your OIDC provider. You can visit the discovery URL in a browser to view the provider’s capabilities, supported authentication methods, and endpoints.
Client authentication method
Choose the authentication method your OIDC provider requires.
| Your identity provider administrator should know which method is required. You can also refer to your provider’s documentation for the correct authentication method. |
- private_key_jwt
-
(Recommended) Certificate-based authentication using a signed JWT.
You supply a private key in the OIDC configuration fields.
You register the matching public key with your OIDC provider.
Read Client secret / Private key (PEM) for detailed information about this option.
- client_secret_basic
-
Client ID and secret sent through HTTP Basic authentication.
- client_secret_post
-
Client ID and secret sent in the POST body.
- none
-
No authentication (public clients only).
Scopes
Default scopes are pre-filled with openid and email, which are required for most implementations.
| Most providers use standard scope names. Verify with your provider if they use custom scopes. |
- openid
-
Required for OIDC (provides the ID token).
-
Provides the user’s email address.
- profile
-
(Optional) Provides additional user profile information.
User property map
Maps OIDC claims to user properties. Common claim types are listed in this section.
The claim name that contains the user’s email address (for example, email).
This is the most common way to identify users.
Primary identifier (optional)
The claim name that contains the user’s primary identifier.
Use this when you want to identify users by a stable, non-PII attribute rather than personally identifiable information such as an email address.
A common choice is sub (the standard OIDC subject claim in the ID token), which provides a unique, opaque identifier for each user without exposing their email address.
When set, this value is used as the primary identifier instead of email.
When left empty, email is used as the primary identifier.
Custom user attributes (optional)
Additional mappings from OIDC claims to user properties.
Use Add to map extra attributes your portal needs. For example:
-
given_name → first name -
family_name → last name -
name → display name
Adjust all mappings to match the claim names your OIDC provider returns.
Refer to your provider’s documentation if you are unsure which claim names to use.
IdP logout redirect path (optional)
Read Portal authentication using OIDC for more information about this optional configuration feature.
Client secret / Private key (PEM)
This option is required depending on the selected Client authentication method
private_key_jwt
Generate and paste your RSA private key in the Private key (PEM) field so Squiz can sign authentication requests to your OIDC provider.
|
The DXP Console will encrypt the private key before storage and it will not be viewable again. Keep a backup of the private key in an encrypted secure storage tool like a password manager. |
Retaining the private key in a secure location can be helpful in disaster recovery situations. For example, if your OIDC provider requires you to generate a new public key from the original private key.
The key must be created to meet these requirements:
-
PKCS#8 PEMformat (key starts with-----BEGIN PRIVATE KEY-----) -
use the
RS256algorithm. -
Store this private key in this OIDC configuration in Squiz DXP Console.
-
Give the public key to your OIDC identity provider as described in Configure OIDC provider.