The EAM application needs to be configured to capture the metadata related to the OpenID Connect client and the claim names that are transmitted in the ID token generated. As part of the configuration, the values of the following install parameters must be updated in the EAM application. This section assumes the OpenID Client is configured in ADFS as described in the previous sections.
-
From the ADFS Management console, navigate to ADFS > Service > End Points.
-
Scroll down and select the OpenID Connect Discovery end point.
-
Open a browser and access the following URL
<protocol>://<AD FS Server URL>/<OpenID Connect Discovery End Point obtained from the previous step> (example: https://adfsserver.com/adfs/.well-known/openid-configuration)
-
The URL will display OpenID Connect metadata in JSON format in the browser.
-
From the metadata displayed, perform the following.
-
Copy the value of the issuer and set it as the value of the install parameter OIDCISS in the EAM Application.
-
Copy the value of the jwks_uri and set it as the value of the install parameter OIDCJWKS in the EAM Application.
-
From the configuring OpenID Connect Client section, copy the client ID automatically generated by AD FS and set it as the value of the install parameter OIDCCLNT in the EAM Application.
Install Parameter Name
Install Parameter Value
OIDCIDNT
http://schemas.infor.com/claims/Identity
OIDCUPN
upn
OIDCTNT
http://schemas.infor.com/claims/Tenant
OIDCROLE
http://schemas.infor.com/claims/SecurityRole
OIDCEML
email
OIDCUSDS
commonname
-
Set the value of the following install parameters to provide a mapping between the claim names present in the ID token and the install parameters. The configuration assumes that the custom claims have been configured as mentioned in the Configuring Custom Claims section.
-
The install parameters OIDCISS, OIDCJWKS, and OIDCCLNT should be mandatorily configured for OpenID Connect authentication.
Not all the install parameters related to configuring the claim names mentioned in the above table are mandatory for a successful authentication using the OpenID Connect ID token. The minimum required claims are the Tenant claim (OIDCTNT) and at least one of either the user claim (OIDCIDNT) or the UPN claim (OIDCUPN) for authenticating an existing user in the EAM application. The value of the claim names specified by the installed parameters OIDCIDNT, OIDCUPN in the ID token should match with either the usr_code or the usr_externcode of a record in the r5users table for successful authentication.
If the user in the ID token does not already exist in the EAM application, then the ROLE claim (OIDCROLE) is also required, along with the other minimum required claims mentioned previously for the user to be created in the EAM application. The user ID created will have the following values for the externcode (usr_externcode) and the usercode (usr_code) columns in the r5users table.
-
The externcode column will be populated as follows based on the value of the claim value in the ID token.
-
If the value of the claim mapped to the install parameter, OIDCUPN, is not blank, then that will be set as externcode.
-
Else, the value of the claim mapped to the install parameter, OIDCIDNT, will be set as the externcode.
-
-
The usercode column will be populated as follows based on the value of the claim value in the ID token.
-
If the value of the claim mapped to the install parameter, OIDCIDNT, is not blank and does not exceed 80 characters, it will be set as usercode.
-
Else, if the value of the claim mapped to the install parameter, OIDCUPN, is not blank and does not exceed 80 characters, it will be set as usercode.
-
Else, a randomly generated number will be set as the usercode.
-
All the install parameter values described in this section, except for the jwks_uri
(OIDCJWKS), are case sensitive.