Developer Documentation Library > Web API > OpenID Connect provider > Configuring external providers
 
Configuring external providers
The default external provider that is used to authenticate users is WsFed. The user is always redirected to that external provider, unless the EnableLocalLogin property for the client is set to True; when EnableLocalLogin is set to True, users are asked to either enter their user name and password (“local login”), or use the external provider.
The UNICOM Intelligence OpenID Connect provider supports both other OpenID Connect providers and WS-Federation identity providers. The user name returned by the external identity provider must already exist in User Administration.
WS-Federation external providers
To configure external WS-Federation providers, use the properties that are under \Site\Properties\Oidc\Providers\WsFed. Each properties collection defines a different provider; the name if the properties collection is the provider name. The IntelligenceWsFed provider is set up for you.
Caption
The label for the identity provider. This label might be displayed to the user.
MetadataAddress
The address that is used to retrieve the WS-Federation metadata. This an address that is accessible from the WebAPI internally. This might require it to be a hostname instead of an FQDN, and it might need HTTP instead of HTTPs.
Wtrealm
The “wtrealm” value to pass to the external provider.
The default value is urn:intelligence.
OpenID Connect external providers
To configure external OpenID Connect providers, use the properties that are under \Site\Properties\Oidc\Providers\Oidc. Each properties collection defines a different provider; the name if the properties collection is the provider name.
The redirect URI used is: https://<hostname>/SPSSMR/Oidc/callback/oidc/<providerName>. The external identity provider might need to be configured to allow redirects to this URL.
Authority
The base address of the external OpenID Connect provider. A request is made to the “.well-known/openid-configuration” endpoint of the authority to get metadata for the provider, for example the authorization and token endpoints. This an address that is accessible from the WebAPI internally. This might require it to be a hostname instead of an FQDN, and it might need HTTP instead of HTTPs.
Caption
The label for the identity provider. This might be displayed to the user.
ClientId
The “client_id” value to specify to the external provider, as the OIDC application is effectively a client of the external provider.
ClientSecret
The “client_secret” value to specify to the external provider.
MetadataAddress
The discovery endpoint to use for getting metadata.
The default value is the “.well-known/openid-configuration” endpoint of the URL that is specified by the Authority property.
ResponseType
The “response_type” to request.
The default value is code id_token.
RequireHttpsMetadata
True: An HTTPS scheme must be used when accessing the metadata address.
False: Either the HTTP scheme or the HTTPS scheme can be used when accessing the metadata address.
The default value is True.
Scope
The scope to request.
The default value is openid profile.
UsePkce
This property applies only when the ResponseType is set to Code.
True enables the use of the PKCE standard.
The default value is “True”.
See
Configuring the OIDC application
Configuring the OAuth 2.0 clients
Signing certificates for the OIDC and WsFed applications
OpenID Connect provider