Global Redirector Configuration Guide

Last updated
Save as PDF

Configure a service provider for OpenID Connect (OIDC) integration, which allows NiCE KM sites to authenticate users through external identity providers.

We recommend the Global Redirector Configuration Guide only if you have multiple NiCE KM sites and want to set up a single app in your identify provider via OIDC.

Prerequisites

Admin access to your NiCE KM site
Admin access to your identity provider (IdP)
Working knowledge of Supported OpenID Connect flows

Step 1: Collect information from your identity provider

To configure a basic OpenID Connect integration, you will need the following information from your IdP (same as OIDC guide):

Required information:

Client ID: The unique identifier for the site as a relying party.
Client Secret: The secret passcode to establish trust between the IdP and the site (this secret should not be shared over any public channel).
IdP Authorize Endpoint URL: The endpoint that will receive the site's authorization code request.
IdP Issuer: The unique identifier for the identity provider.
IdP Token Endpoint URL: The endpoint that will receive the site's identity token request.

Recommended information:

IdP JSON Web Key Set (JWKS) Endpoint URL: The endpoint that will provide the site with public keys to verify a signed identity token.
IdP Logout Endpoint URL: The endpoint that will receive the site's sign out request.
IdP UserInfo Endpoint URL: The endpoint that will provide the site with verbose user identity data, if not present in the identity token.
Scopes: The site will use identity token claims to enrich an authenticating user's profile on the site.

Optional information:

Additional (Custom) claims: Any custom identity token claims to save with the user's profile on the site.
IdP Token Endpoint URL Authentication Method: The authentication method the relying party will use to connect to the token endpoint URL.

Step 2: Configure service provider in NiCE KM

Navigate to your site's administrative interface and create a new service provider configuration:

Example

<service>
  <sid>sid://mindtouch/2019/03/sso/oidc</sid>
  <type>auth</type>
  <description>Foo Idp</description>
  <init>native</init>
  <name>foo</name>
  <config>
    <value key="rp-client-id">your-client-id</value>
    <value key="rp-client-secret">your-client-secret</value>
    <value key="rp-custom-redirect-uri">https://auth.mindtouch.us/callback</value>
    <value key="service-name">foo</value>
    <value key="idp-issuer">https://mycompany.foo.com</value>
    <value key="idp-authorize-url">https://mycompany.foo.com/oauth2/default/v1/authorize</value>
    <value key="idp-token-url">https://mycompany.foo.com/oauth2/default/v1/token</value>
    <value key="idp-token-url-auth">client_secret_post</value>
    <value key="idp-keys-url">https://mycompany.foo.com/oauth2/default/v1/keys</value>
    <value key="scopes">openid profile email</value>
  </config>
</service>

Step 3: Configure redirect URIs in your IdP

In your IdP's administration console, add the following redirect URI:

https://auth.mindtouch.us/callback

Step 4: Enable group synchronization (optional)

If you want to synchronize user groups from your IdP to NiCE KM:

Create groups in NiCE KM before enabling group synchronization
Familiarize yourself with the behavior of group synchronization
Provide the group claim name as it will appear in identity tokens or verbose user identity token received by the relying party.

Step 5: Test your configuration

Test authentication by accessing a protected page on your NiCE KM site
Verify you are redirected to your IdP for authentication
Confirm successful login and user creation in NiCE KM
Check that user attributes and group memberships are correctly synchronized

Troubleshooting

Invalid redirect URI: Ensure the redirect URI in your IdP matches what NiCE KM expects.