7.3 Configuring the Self-Service Request Portal for external identity providers
You configure the identity providers for SSRP by editing the myid.production.json file in the website folder, which is an override for the myid.json configuration file. There is a separate myid.json file for each website folder; by default, SSRP for client certificate-based derived credentials, and SSRPOID for OpenID Connect derived credentials.
Note: As updating or upgrading MyID overwrites the myid.json configuration files, you are recommended to make all of your customizations in a myid.production.json file, which is an override file for the myid.json file. If you do not have a myid.production.json file in the same folder as the myid.json file, you can make a copy of the myid.json file and rename it to myid.production.json. If there is an entry in the Providers array with the same Name attribute in both the myid.json and myid.production.json file, the entry in the myid.production.json file takes precedence.
The myid.production.json file defines each potential identity provider within that overall identity provider type from which SSRP can create the new credential. The file contains the URLs and data for authentication with external authentication providers, and the mappings from the claims to the database.
You can include multiple providers in a single myid.production.json file if the providers are all the same type; for example, you can include multiple OpenID Connect providers in the same file. You cannot include a client certificate-based provider in the same myid.production.json file as OpenID Connect providers.
The default location of the myid.json file (and myid.prodution.json) for OpenID Connect is:
C:\Program Files\Intercede\MyID\SSRP\SSRPOID
By default, the myid.json file contains a copy of the myid.json file from the SSRP folder. You must copy this into a myid.production.json file, then edit this file to remove the client certificate-based provider (with a Name of SSL and a Type of ssl) and configure the file for OpenID Connect authentication.
The format of the myid.production.json is:
{
"Providers": [
{
"Name": "<The internally used name for the identity provider>",
"DisplayName": "Text displayed to the user",
"Url": "<URL of OpenID provider>",
"Icon": "<path to icon>",
"Enabled": true,
"Type": "oid",
"Default": true,
"Scopes": "openid email profile",
"RequiredAudience": "<Required Audience of the JWT>",
"RequiredIssuer": "<Required Issuer of the JWT>",
"ClientId": "<Client ID>",
"ClientSecret": "<Client Secret>",
"RetrieveUserInfo": true,
"Mappings": [
{
"Match": {
"<Type of Claim>": "<Required Value of Claim>"
},
"Attributes": [
{
"From": "preferred_username",
"To": "Email",
"Mandatory": false,
"Default": "",
"Static": "",
"Unique": true,
"Update": false,
"LdapSync": true
},
{
"From": "",
"To": "Roles",
"Static": "<role name='Derived Credential Owner' scope='1'/><role name='Cardholder' scope='1'/>"
},
{
"From": "",
"To": "GroupName",
"Static": "Imported From Google"
}
]
}
]
}
]
}Note: When editing the appsettings.Production.json file on your own system, make sure you replace any placeholders with the appropriate values for your system.
Each provider within the Providers array can contain:
-
Name – An internal name for the provider. When configuring the OpenID Connect provider, the redirect URIs must contain:
{URL of SSRP instance}?name={Name in myid.production.json}
For example, if the Name is Entra, the redirect URI might be:
https://myserver.example.com/SSRPOID?name=Entra
-
DisplayName – The display name for the provider. This is the text that appears on the start screen.
For example: Login with your Microsoft account
-
Url – The URL of the OpenID Connect provider.
For example:
https://login.microsoftonline.com/b785ece2-47dd-4eb6-acee-be595bbce9b3/v2.0
Note: With some providers, such as Microsoft Entra, you can type this URL into a browser and append:
/.well-known/openid-configuration
to return JSON that contains all the relevant information required to authenticate with the provider.
-
Icon – The file path to the icon of the provider. This is an optional property that, if populated, displays the icon to the left of the display name in the start screen.
For example:
..\\SSRPOID\\Images\\Microsoft.png
-
Enabled – Whether the provider can be used. If you set this value to false, the provider does not appear in the SSRP selection screen.
You can set this property to true or false. The default value for this property is false.
-
Type – The type of authentication that is used to request the derived credential. Set this to oid for OpenID Connect authentication.
-
Default – Whether this provider is the default if a user navigates directly to the SSRP URL. You can set this to true for at most one provider.
If multiple providers have this set to true, then only the first provider in the list from top down that is set to true is used. If there are no providers set to true, then the first provider is used. When going to the Start page, this setting is ignored.
You can set this property to true or false. The default value for this property is NULL. When this property is set to NULL, it is ignored.
-
Scopes – The scopes requested when attempting to authenticate with the OpenID Connect provider. Each scope allows for a different set of data to be returned in the claims, and typically openid is always required. See the JSON returned from the OpenID Connect provider's /.well-known/openid-configuration URL, or the OpenID Connect provider's documentation for a list of the allowed scopes and claims.
You must set this property to a string with each scope separated by a space; for example:
"Scopes": "openid email profile"
-
RequiredAudience – The required audience. This is checked against the value of the audience of the JSON Web Token (JWT) returned from the OpenID Connect provider after the user has authenticated. If this is empty or not present, the audience of the JWT is not checked. If the value of this property does not match the audience of the JWT, an error occurs.
-
RequiredIssuer – The required issuer. This is checked against the value of the required value of the issuer of the JSON Web Token (JWT) returned from the OpenID Connect provider after the user has authenticated. If this is empty or not present, the issuer of the JWT is not checked. If the value of this property does not match the issuer of the JWT, an error occurs.
-
ClientId – The client ID as configured in the OpenID Connect provider. When you configure the OpenID Connect provider, you are given a client ID and client secret. This property must contain the client ID.
-
ClientSecret – An encrypted version of the client secret as configured in the OpenID Connect provider. When configuring the OpenID Connect provider, you are given a client ID and a client secret.
Note: You are recommended to encrypt the client secret for security purposes; see section 7.3.1, Encrypting the client secret.
-
ClientSecretClear – The non-encrypted version of the client secret.
Note: For evaluation systems, if you do not want to go to the effort of encrypting the client secret, you can leave the ClientSecret value blank, and set the ClientSecretClear value to the client secret instead. This is not recommended on production systems for security reasons.
-
AuthorizationUrl – The URL of the authorization endpoint for the OpenID Connect provider.
For example:
https://login.microsoftonline.com/b785ece2-47dd-4eb6-acee-be595bbce9b3/oauth2/v2.0/authorize
Note: If the OpenID Connect provider has a /.well-known/openid-configuration endpoint that returns JSON, then this may not be required, as the URL can be retrieved from the JSON. The property name in the JSON returned from the OpenID Connect configuration endpoint is:
authorization_endpoint
-
TokenUrl – The URL of the token endpoint for the OpenID Connect provider.
For example:
https://login.microsoftonline.com/b785ece2-47dd-4eb6-acee-be595bbce9b3/oauth2/v2.0/token
Note: If the OpenID Connect provider has a /.well-known/openid-configuration endpoint that returns JSON, then this may not be required, as the URL can be retrieved from the JSON. The property name in the JSON returned from the OpenID Connect configuration endpoint is :
token_endpoint
-
SigningKeysUrl – The URL of the signing keys endpoint for the OpenID Connect provider.
For example:
https://login.microsoftonline.com/b785ece2-47dd-4eb6-acee-be595bbce9b3/discovery/v2.0/keys
Note: If the OpenID Connect provider has a /.well-known/openid-configuration endpoint that returns JSON, then this may not be required, as the URL can be retrieved from the JSON. The property name in the JSON returned from the OpenID Connect configuration endpoint is:
jwks_uri
-
RetrieveUserInfo – Whether to retrieve more information on an authenticated user. If you set this to true, then once the user has authenticated, an additional endpoint call is made to the OpenID Connect provider user info endpoint to retrieve more information about the user. Use this option if the returned claims do not provide sufficient information.
You can set this property to true or false. The default value for this property is false.
-
UserInfoUrl – The URL of the user info endpoint at the OpenID Connect provider.
For example:
https://graph.microsoft.com/oidc/userinfo
Note: If the OpenID Connect provider has a /.well-known/openid-configuration endpoint that returns JSON, then this may not be required, as the URL can be retrieved from the JSON. The property name in the JSON returned from the OpenID Connect configuration endpoint is:
userinfo_endpoint
This is used only if RetrieveUserInfo is set to true.
-
Mappings – An array of mappings that contains the following:
-
Match – A set of key-value pairs on which to match. For each key-value pair, the key must be a type of claim (for example: "iss" or "aud") and the value is the required value for that claim. If there are multiple key-value pairs, then every key-value pair must match a claim, and if there are no key-value pairs, or if the match property is not present, then the match is always successful. If multiple Mappings have every item in their Match property met, then the first successful mapping in the mappings array is used. If no Mappings have successfully matched Match properties, then an error occurs.
-
Attributes – An array of items that define how the user is created, imported, or updated in the MyID database. Each attribute defines what information to get from where. Each attribute can contain the following properties:
-
From – The type of claim from which to obtain the value.
For example: "iss" or "aud".
If you leave this empty, then the Static property is used. If this returns nothing, this either causes an error, or the value in the Default property is used, depending on the value of the Mandatory property.
-
Static – A static value to send to MyID. This is used only if the From property is empty or not present.
-
Mandatory – Whether a response from the claim specified in the From property is necessary. If you set this to true and there is either no claim for the type specified in the From property, or if the value of the claim is empty, then an error occurs.
You can set this property to true or false. The default value for this property is false.
-
Default – The default value to use. If the Mandatory property is set to false and either there is no claim for the type specified in the From property, or if the value of the claim is empty, then the value from this property is used instead.
-
To – The name of the node in the XML sent to MyID. This must match a column name in the vPeopleUserAccounts view in the MyID database.
To add user to a group, you must add an attribute with the To property set to "GroupName", and the From/Static/Default property set to the name of the group.
If the group you are adding the user to is a sub-group, add another attribute with the To property set to "ParentGroupName" and the From/Static/Default property set to the name of the parent group.
To assign roles to a user, you must add an attribute with the To property set to "Roles" and the From/Static/Default property set to XML of the role or roles which you want to add.
For example, you could set the To property to "Roles" and the Static property to:
"<role name='Derived Credential Owner' scope='1'/><role name='Cardholder' scope='1'/>"
This gives the user two roles, “Derived Credential Owner” and “Cardholder”, both with scope “Self”.
The numbers correlate to the scopes as follows:
-
1 – Self
-
2 – Department
-
3 – Division
-
4 – All
For more information on scopes, see the Scope and security section in the Administration Guide.
Note: If the user does not already exist in the database, there must be an attribute with To set to "FullName" and the From/Static/Default property set to the user's full name. If this is not present, the creation of the user fails.
-
-
Unique – Set this to true if the To and From/Static/Default properties lead to a unique value that can be used to identify the person. If you set this to true, then the vPeopleUserAccounts view in the MyID database is searched using the field specified in the To property and the value specified in the From/Static/Default property. If a user is found using these criteria, then that user and only that user is imported. There must be at most one attribute where this property is set to true. This must reference the Unique ID of the user in the external identity provider.
You can set this property to true or false. The default value for this property is false.
You are recommended to use a unique reference (such as a GUID) supplied from the external identity provider; you can store this value in a MyID attribute to create a link between the user in the external identity provider and MyID.
MyID provides the following fields:
-
XuSYSExternalReferenceId1
-
XuSYSExternalReferenceId2
-
XuSYSExternalReferenceId3
that you can use to store the unique ID. If you have up to three external identity providers, you can use a different field for each.
For example:
Copy{
"From": "oid",
"To": "XuSYSExternalReferenceId1",
"Mandatory": true,
"Unique": true,
"Update": true
}, -
-
Update – Whether the user in the database should be updated to contain information from this attribute. If you set this to true, the user in the database (who was found using either an attribute that you have stated as unique or one or more attributes with LookUpExisting set to true) is updated to have the field specified in the To property set to the value specified in the From/Static/Default property.
You can set this property to true or false. The default value for this property is false.
-
LookupExisting – If you set this to true, then, after the attribute with Unique set to true is used to search the database for the user, if no user is returned, then instead vPeopleUserAccounts is searched using the field specified in the To property and the value specified in the From/Static/Default property of this attribute. If the search using the value of the unique attribute returns a single result, then this is not used. A unique attribute should not return more than one result after being searched for in a database.
If multiple attributes have LookupExisting set to true, the user must have all of those properties set to the required values.
You can set this property to true or false. The default value for this property is false.
-
LdapSync – Whether to search the LDAP for this user. If you set this to true, then the linked Active Directories are searched using the field specified in the To property and the value specified in the From/Static/Default property. The value of the To property must be a value in the LDAPLookUp table.
You can set this property to true or false. The default value for this property is false.
Important: If you enable LookupExisting or LdapSync on an attribute, you must be certain that the source of that data from the external identity provider is trustworthy. If you use these features and the source of the mapped attribute used for LookupExisting or LdapSync can be controlled by the end user or another untrusted individual, it can enable the user authenticating with that identity provider to impersonate a user in MyID, either by assigning the external identity provider authentication mechanism to that existing user account or by importing data (such as the DN) from the LDAP that belongs to another person who is looked up by that attribute.
-
-
For a sample myid.production.json file containing configuration for Microsoft Entra, see section 7.4, Sample configuration for Entra.
7.3.1 Encrypting the client secret
To encrypt the client secret, log in to the server with the MyID Web Service account and DPAPI encrypt the secret.
-
On the web server where your SSRP web service is located, log in to the server with the MyID Web Service account.
To confirm which account to use, check the settings for the SSRPPool application pool in IIS. You must log in with the same account used to run the web service, or the web service will be unable to decrypt the client secret.
-
Open a Windows PowerShell command prompt, and navigate to the folder where myid.production.json is located.
-
Run the following PowerShell script:
.\DPAPIEncrypt.ps1 <secret>
where:
-
<secret> is the client secret from when you configured your OpenID Connect provider.
For example:
.\DPAPIEncrypt.ps1 b5989015-bb9e-4533-874b-2b4a6a8280ed
The script outputs an encrypted copy of the secret; for example:
PS C:\Program Files\Intercede\MyID\SSRP\SSRP> .\DPAPIEncrypt.ps1 b5989015-bb9e-4533-874b-2b4a6a8280ed
AQAAANCMnd8BFdERjHoAwE/C [...] JwWwaKXWoS3i+ulxtmjVQyudpQ==
(Encrypted output string truncated for documentation purposes.)
-
-
Copy the encrypted secret, and paste it into the ClientSecret property of the myid.production.json file.