Define settings in Smart API Manager and Your Identity Provider - Intergraph Smart API Manager - 5.0 - Help

To be able to use an identity provider for authentication, you define its default settings, as well as any other settings you need, in Smart API Manager. In addition, for the OpenID Connect and SAML 2.0 identity providers, there are additional settings you have to define in the identity provider application itself.

Define default settings

For each default setting, click the Value column and type the value. The values depend on the identity provider you chose:

• WS-Federation default settings

  • MetadataAddress - The URL to the WS-Federation metadata document describing the server parameters.

  • Wtrealm - The name of the authentication realm, usually described in the metadata document as well.

• OpenID Connect (OIDC) default settings

  • ClientId - The Client Id provided by the OIDC client.

  • Scope - The list of requested OIDC scopes, space-separated. At a minimum, request the openid scope. Optional scopes include profile, email, address, and phone.

  • ResponseType - The expected OAuth response type.

    • If the identity provider OIDC client uses the authorization code flow, then set this value to code.

    • Otherwise, if the identity provider OIDC client uses the implicit flow, then set the value to id_token or id_token token. No access token is returned when the value is id_token.

  • MetadataAddress - The URL to the OIDC service provider's discovery document. This is typically derived by concatenating the string /.well-known/openid-configuration to the OIDC client's Issuer URI.

• SAML 2.0 default settings

  • MetadataAddress - The Identity Provider metadata URL provided by the SAML IDP.

  • Issuer - The Issuer URI provided by the SAML IDP. You can also find the value in the MetadataAddress document at <EntityDescriptor entityID="<Issuer URI>">.

• Local default settings

  • TypeName - The fully qualified type name that implements the ILocalIdentityProvider interface.

  • InitializationString - An optional string parameter passed to the class constructor (if a constructor with a string parameter is implemented). The string may contain any information required.

Define additional settings, if needed

1. Click NAME, type the setting name, and click ADD.

2. Click the Value column for the setting, type the setting value, and press ENTER.

   If you want to remove a setting, click to select the setting, and click REMOVE.

3. Click NEXT to map identity provider claims to Smart API Manager claims. The instructions continue with Map identity provider claims to Smart API Manager claims.

4. If you are using OpenID Connect or SAML 2.0, before you continue on with mapping the identity provider claims, complete the additional steps required for your identity provider.

Complete setup in OpenID Connect Identity Provider

For OpenID Connect, you must establish the identity provider as an OIDC Relying Party.

1. Return to the OIDC client.

2. Add a Login Redirect Uri, as follows:

   <server>/sam/oauth/callback/<Id>

3. Add a Logout Redirect Uri, as follows:

   <server>/sam/oauth/logout

What are <server> and <Id>?

Complete setup for SAML 2.0 Identity Provider

For the SAML 2.0 Identity Provider, you must establish the identity provider from Smart API Manager as a SAML SP (service provider). To do so, you must provide the following information in your SAML 2.0 identity provider.

• Single sign on (SSO) URL (also called the SAML Assertion Consumer Service, or ACS URL):

  <server>/sam/oauth/callback/<Id>/Acs

• Audience URI (also called the SP Entity ID):

  <server>/sam/oauth/callback/<Id>

• If available, configure the Single Logout URL:

  <server>/sam/oauth/callback/<id>/logout

• SP Issuer:

  <server>/sam/oauth/callback/<Id>/

What are <server> and <Id>?