Generic OIDC
This option can be used to configure any provider that offers the OpenID / OIDC protocol to integrate with Therefore™. Configuration varies by provider.
Configuration in the external provider's portal
A custom client has to be defined in the external directory.
For native applications, the recommended authorization flow is authorization code with PKCE.
Redirect URIs
For the configuration of the custom client, redirect URIs for Therefore™ applications are necessary. They can be found here:
Configuration in Therefore™
To configure Generic OIDC with an external login provider, select the option 'Generic OIDC' under 'External User Directories'. Enter the domain into the filed labeled Domain / Directory name.
Click the button labeled 'Auto-Detect'. A dialog labeled 'OIDC Discovery Endpoint' opens. Enter the OIDC discovery URL and click OK. The other settings in the dialog are auto-populated based on the input, except for the Therefore™ Client ID that has to be entered manually.
Enter the following values into the respective fields in the dialog of the Therefore™ Solution Designer:
| Provider Label | Therefore™ Setting | Description |
|---|---|---|
| Depends on the provider | OIDC Discovery Endpoint |
Enter the OIDC discovery URL to auto-populate the other settings. In case of a configuration using Google, the URL follows the pattern specified below:
|
| Depends on the provider | Therefore™ Client ID | The ID of the custom client configured in the external directory |
Users
For generic OIDC it is always required to manually create the SAML/OIDC users before configuring the authentication.
Enable PKCE
If PKCE is used, the checkbox labeled 'Enable PKCE' must be checked.