Skip to main content
Version: Axidian Privilege 3.4

OpenID Connect Protocol

OpenID Connect (OIDC) is an authentication protocol based on OAuth 2.0. The protocol allows applications to verify user identity and obtain user information from an Identity Provider.

During the first OIDC authentication, the PAM user's email address is compared with the email in the Identity Provider. If the addresses match, the user signs in to the Axidian Privilege console. A unique identifier is saved for each user and is used during subsequent authentication to match the PAM user with the Identity Provider account.

To add sign-in to the Axidian Privilege console via an Identity Provider:

  1. Specify email addresses for users in Axidian Privilege.
    Make sure that the email addresses in PAM and the Identity Provider match.
  2. Configure the settings for sign-in via the Identity Provider.
info

Proxy components do not support OpenID Connect authentication.
To access resources, enable the Session opening without re-authentication and/or SSH Key Authentication options.

Configuration

To add authentication via an external Identity Provider:

  1. In the administrator console, go to the ConfigurationUser Authentication section.
  2. Enable the Enable authentication via OIDC Identity Provider option.
  3. In the Login button name field, enter the name of the authentication button for the Identity Provider.
    The button is displayed on the sign-in page of the Axidian Privilege console.
  4. In the Redirect URI field, specify the DNS name of the Axidian Privilege server.
    Example: pam.my-company.local.
  5. Copy the Redirect URI value and specify it when registering PAM in the Identity Provider settings.
    The Identity Provider redirects the user to the specified address after authentication.
  6. In the OIDC Provider URL field, specify the OIDC server address from the Identity Provider settings.
    Example: https://idp.company.ru.
  7. Select the OIDC authentication flow:
    • Authorization Code Flow — the user is redirected to the authorization server and receives a code that is exchanged for an access token.
    • Authorization Code Flow + PKCE (default) — the recommended flow that uses the Proof Key for Code Exchange (PKCE) extension. An additional secret is generated for each authorization request and is verified when exchanging the code for an access token.
    • Implicit Flow — the authorization server returns the access token in the URL after user authentication. This flow is not recommended due to the risk of token interception.
  8. In the Client ID field, specify the client identifier created when registering PAM in the Identity Provider.
  9. Next to the Client Secret field, click edit.svg and enter the client secret issued when registering PAM in the Identity Provider. This field is required if the Authorization Code Flow is selected.
  10. (Optional) Expand the optional settings and fill in the fields:
    • Claim — OIDC attribute that PAM uses to retrieve the user’s email to match the user account. The default value is email.
    • Scope — the name of the OIDC scope used in the request to the OIDC provider to retrieve the claim containing the user's email. The default value is email.
  11. Click Save.

After configuring the settings, authentication via an external Identity Provider is available on the sign-in page of the Axidian Privilege console.

Console login

info

Authentication via an external Identity Provider is an additional sign-in method.
Sign-in with login and password remains available.

  1. Open the user console or the administrator console.
  2. Proceed to authentication via the external Identity Provider.
    If the sign-in attempt fails, contact the PAM administrator.

Updating user data

If a user's email address or identifier (sub) has changed in the Identity Provider, update the PAM user data:

  1. In the administrator console, go to the User section and open the user profile.
  2. Next to the Email field, click edit.svg and enter the new email address.
    If the user is from a directory service, change the email address in the directory.
  3. Click Save.
  4. Go to the Authenticators tab.
  5. Next to the Subject Identifier (sub) field, click trash.svg.
  6. In the confirmation dialog, click Delete.

Upon the next OIDC authentication, the new identifier value is automatically saved in PAM.