Product: TIBCO Spotfire®
How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration
With OpenID Connect authentication is enabled, we can look up the available claims using the resolution provided below. This essential setting specifies the username claim that may fetch the appropriate username from the authentication source when using LDAP as the user directory. By default Spotfire uses the value of the sub claim as username when authenticating using OpenID Connect. It is however possible to configure some other claim to be used instead but this currently only works if that claim is present in the User Info Endpoint. Below are few possible ways to find the claims supported in the ID token and UserInfo Endpoint:
- Supported claims will be seen in the discovery document URL with which you can verify. Discovery document URL looks something like this "https://IDPservername/.well-known/openid-configuration":
{"issuer":"https://oktapreview.com","authorization_endpoint":"https://oktapreview.com/oauth2/v1/authorize","token_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/token","userinfo_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/userinfo","registration_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/clients","jwks_uri":"https://dev-464575.oktapreview.com/oauth2/v1/keys","response_types_supported":["code","id_token","code id_token","code token","id_token token","code id_token token"],"response_modes_supported":["query","fragment","form_post","okta_post_message"],"grant_types_supported":["authorization_code","implicit","refresh_token","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"scopes_supported":["openid","email","profile","address","phone","offline_access","groups"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"claims_supported":["iss","ver","sub","aud","iat","exp","jti","auth_time","amr","idp","nonce","name","nickname","preferred_username","given_name","middle_name","family_name","email","email_verified","profile","zoneinfo","locale","address","phone_number","picture","website","gender","birthdate","updated_at","at_hash","c_hash"],"code_challenge_methods_supported":["S256"],"introspection_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"revocation_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/revoke","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"end_session_endpoint":"https://dev-464575.oktapreview.com/oauth2/v1/logout","request_parameter_supported":true,"request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512"]}
2. You may enable TRACE logging and perform an OIDC authentication and look for entries like these in the logs. You can find a claim that the provider makes available from the UserInfo endpoint and then configure that claim as username claim.
Claims available in the ID Token response: <list of claims>
Claims available in the UserInfo Endpoint response: <list of claims>
TRACE 2017-05-31T06:40:06,236+0200 [unknown, #8, #116] auth.oidc.OidcAuthenticator: Claims available in the ID Token response: [at_hash, sub, ver, amr, iss, preferred_username, nonce, aud, idp, auth_time, name, exp, iat, email, jti]
External: OpenID Connect Specification
Doc: Configuring OpenID Connect
Comments
0 comments
Article is closed for comments.