Configure Open ID Connect provider settings for portals

This topic applies to Dynamics 365 portals and later versions.

OpenID Connect external identity providers are services that conform to the Open ID Connect specifications. Integrating a provider involves locating the authority (or issuer) URL associated with the provider. A configuration URL can be determined from the authority which supplies metadata required during the authentication workflow. The provider settings are based on the properties of the OpenIdConnectAuthenticationOptions class.

Examples of authority URLs are:

Each OpenID Connect provider also involves registering an application (similar to that of an OAuth 2.0 provider) and obtaining a Client Id. The authority URL and the generated application Client Id are the settings required to enable external authentication between the portal and the identity provider.

Note

The Google OpenID Connect endpoint is currently not supported because the underlying libraries are still in the early stages of release with compatibility issues to address. The OAuth2 provider settings for portals endpoint can be used instead.

OpenID settings for Azure Active Directory

To get started, sign into the Azure Management Portal and create or select an existing directory. When a directory is available follow the instructions to add an application to the directory.

  1. Under the Applications menu of the directory, select Add.
  2. Choose Add an application my organization is developing.
  3. Specify a custom name for the application and choose the type web application and/or web API.
  4. For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields https://portal.contoso.com/
  5. At this point, a new application is created. Navigate to the Configure section in the menu.

    Under the single sign-on section, update the first Reply URL entry to include a path in the URL: http://portal.contoso.com/signin-azure-ad. This corresponds to the RedirectUri site setting value

  6. Under the properties section, locate the client ID field. This corresponds to the ClientId site setting value.

  7. In the footer menu, select View Endpoints and note the Federation Metadata Document field

The left portion of the URL is the Authority value and is in one of the following formats:

To get the service configuration URL, replace the FederationMetadata/2007-06/FederationMetadata.xml path tail with the path .well-known/openid-configuration. For instance, https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration

This corresponds to the MetadataAddress site setting value.

Create site settings using OpenID

Apply portal site settings referencing the above application.

Note

A standard Azure AD configuration only uses the following settings (with example values):

Multiple identity providers can be configured by substituting a label for the [provider] tag. Each unique label forms a group of settings related to an identity provider. Examples: AzureAD, MyIdP

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled Enables or disables external account sign-in and registration. Default: true
Authentication/OpenIdConnect/[provider]/Authority Required. The Authority to use when making OpenIdConnect calls. Example: https://login.windows.net/contoso.onmicrosoft.com/. For more information:OpenIdConnectAuthenticationOptions.Authority.
Authentication/OpenIdConnect/[provider]/MetadataAddress The discovery endpoint for obtaining metadata. Commonly ending with the path:/.well-known/openid-configuration . Example: https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration. For more information:OpenIdConnectAuthenticationOptions.MetadataAddress.
Authentication/OpenIdConnect/[provider]/AuthenticationType The OWIN authentication middleware type. Specify the value of the issuer in the service configuration metadata. Example: https://sts.windows.net/contoso.onmicrosoft.com/. For more information: AuthenticationOptions.AuthenticationType.
Authentication/OpenIdConnect/[provider]/ClientId Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key". For more information: OpenIdConnectAuthenticationOptions.ClientId.
Authentication/OpenIdConnect/[provider]/ClientSecret The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret". For more information: OpenIdConnectAuthenticationOptions.ClientSecret.
Authentication/OpenIdConnect/[provider]/RedirectUri Recommended. The AD FS WS-Federation passive endpoint. Example: https://portal.contoso.com/signin-saml2. For more information: OpenIdConnectAuthenticationOptions.RedirectUri.
Authentication/OpenIdConnect/[provider]/Caption Recommended. The text that the user can display on a sign in user interface. Default: [provider]. For more information: OpenIdConnectAuthenticationOptions.Caption.
Authentication/OpenIdConnect/[provider]/Resource The 'resource'. For more information: OpenIdConnectAuthenticationOptions.Resource.
Authentication/OpenIdConnect/[provider]/ResponseType The 'response_type'. For more information: OpenIdConnectAuthenticationOptions.ResponseType.
Authentication/OpenIdConnect/[provider]/Scope A space separated list of permissions to request. Default: openid. For more information: OpenIdConnectAuthenticationOptions.Scope .
Authentication/OpenIdConnect/[provider]/CallbackPath An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri. For more information: OpenIdConnectAuthenticationOptions.CallbackPath.
Authentication/OpenIdConnect/[provider]/BackchannelTimeout Timeout value for back channel communications. Example: 00:05:00 (5 mins). For more information: OpenIdConnectAuthenticationOptions.BackchannelTimeout.
Authentication/OpenIdConnect/[provider]/RefreshOnIssuerKeyNotFound Determines whether a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. For more information: OpenIdConnectAuthenticationOptions.RefreshOnIssuerKeyNotFound.
Authentication/OpenIdConnect/[provider]/UseTokenLifetime Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. For more information: OpenIdConnectAuthenticationOptions.UseTokenLifetime.
Authentication/OpenIdConnect/[provider]/AuthenticationMode The OWIN authentication middleware mode. For more information: AuthenticationOptions.AuthenticationMode.
Authentication/OpenIdConnect/[provider]/SignInAsAuthenticationType The AuthenticationType used when creating the System.Security.Claims.ClaimsIdentity. For more information: OpenIdConnectAuthenticationOptions.SignInAsAuthenticationType.
Authentication/OpenIdConnect/[provider]/PostLogoutRedirectUri The 'post_logout_redirect_uri'. For more information: OpenIdConnectAuthenticationOptions.PostLogoutRedirectUri.
Authentication/OpenIdConnect/[provider]/ValidAudiences Comma-separated list of audience URLs. For more information: TokenValidationParameters.AllowedAudiences.
Authentication/OpenIdConnect/[provider]/ValidIssuers Comma-separated list of issuer URLs. For more information: TokenValidationParameters.ValidIssuers.
Authentication/OpenIdConnect/[provider]/ClockSkew The clock skew to apply when validating times.
Authentication/OpenIdConnect/[provider]/NameClaimType The claim type used by the ClaimsIdentity to store the name claim.
Authentication/OpenIdConnect/[provider]/RoleClaimType The claim type used by the ClaimsIdentity to store the role claim.
Authentication/OpenIdConnect/[provider]/RequireExpirationTime A value indicating whether tokens must have an 'expiration' value.
Authentication/OpenIdConnect/[provider]/RequireSignedTokens A value indicating whether a System.IdentityModel.Tokens.SecurityToken xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" can be valid if not signed.
Authentication/OpenIdConnect/[provider]/SaveSigninToken A Boolean to control if the original token is saved when a session is created.
Authentication/OpenIdConnect/[provider]/ValidateActor A value indicating whether the System.IdentityModel.Tokens.JwtSecurityToken.Actor should be validated.
Authentication/OpenIdConnect/[provider]/ValidateAudience A Boolean to control if the audience will be validated during token validation.
Authentication/OpenIdConnect/[provider]/ValidateIssuer A Boolean to control if the issuer will be validated during token validation.
Authentication/OpenIdConnect/[provider]/ValidateLifetime A Boolean to control if the lifetime will be validated during token validation.
Authentication/OpenIdConnect/[provider]/ValidateIssuerSigningKey A Boolean that controls if validation of the System.IdentityModel.Tokens.SecurityKey that signed the securityToken xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" is called.

See also

Configure Dynamics 365 portal authentication
Set authentication identity for a portal
OAuth2 provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals
Facebook App (Page Tab) authentication for portals