1. Using B2C Service
  2. Define the External Identity Provider for OAuth Authorization

Define the External Identity Provider for OAuth Authorization

You define the external identity provider (IdP) on the OAUTH tab of the Single Sign-On Configurations editor.

Before you start

You must perform these tasks before defining the external IdP:
  • Configure the external IdP.
  • Download the security certificate from the external IdP to your computer.
  • Add the Single Sign-On Configurations component to the configuration list for the Configuration button, for example to the Site Configuration tree. See Create a Navigation Set for the Administrator.

Here's what to do

  1. Click Configuration on the navigation pane.
  2. Double-click Single Sign-On Configurations in your navigation list.
    The Single Sign-On Configurations editor opens with the SAML tab active.
  3. Click the OAUTH tab.
  4. Click New on the ribbon and select SSO Identity Provider.
    The Identity Provider editor opens on the content pane.
  5. Enter this information:

    External Identity Provider Fields

    Field Description
    Provider Entity ID Enter a unique entity ID for the external IdP.
    Active Select this check box to make the external IdP active.
    Enforce Audience Restriction Select this check box to force the aud attribute (audience) of the OAuth token to include the custom audience URL.

    Enforcing an audience restriction ensures that only tokens meant for the specific site are consumed.
    Custom Audience URL Enter the custom audience URL that the OAuth token must match, for example:
    https://customaudience.com/services/rest
    Note: If the Enforce Audience Restriction check box is selected, and the custom audience URL isn't specified, then the token must include the interface URL in its audience list.
    Token Validity Enter the length of time in seconds from 1 to 86400 (1 day) for the OAuth token to remain valid from the time issued. If no expiration time is set by the external IdP, the default validity is 120 seconds.
    The length of time that the token is valid is the lesser of the following:
    • Time issued plus token validity
    • Expiration time set by the issuing IdP
    Label To change the display name of the external IdP, click the arrow next to Labels and enter a label as you want it to display.

    The default is New IDP Provider.
  6. Click the arrow next to Certificates drop-down arrow, then perform these steps.
    1. To prevent verification of the trust chain for the certificates you import, select the Do Not Verify Trust Chain for Certificates check box.
      Use this option only when using self-signed certificates or certificates that don't adhere to OpenSSL trust chain verification.
    2. Click the folder next to the Import Certificate field, browse for the security certificate you downloaded from the external IdP, then click Open.
    The certificate is imported.
  7. Click Save.

Results:

The external IdP definition is shown in the Identity Providers list.

What to do next

Use the Manage Access Tokens editor to Revoke OAuth Access Tokens as needed.