Configure Open ID Connect provider settings for portals
This topic applies to Dynamics 365 portals and later versions.
OpenID Connect external identity providers are services that conform to the Open ID Connect specifications. Integrating a provider involves locating the authority (or issuer) URL associated with the provider. A configuration URL can be determined from the authority which supplies metadata required during the authentication workflow. The provider settings are based on the properties of the OpenIdConnectAuthenticationOptions class.
Examples of authority URLs are:
- Google: https://accounts.google.com/https://accounts.google.com/.well-known/openid-configuration
- Azure Active Directory: https://login.windows.net/<Azure AD Application>/
Each OpenID Connect provider also involves registering an application (similar to that of an OAuth 2.0 provider) and obtaining a Client Id. The authority URL and the generated application Client Id are the settings required to enable external authentication between the portal and the identity provider.
The Google OpenID Connect endpoint is currently not supported because the underlying libraries are still in the early stages of release with compatibility issues to address. The OAuth2 provider settings for portals endpoint can be used instead.
OpenID settings for Azure Active Directory
Under the Applications menu of the directory, select Add.
Choose Add an application my organization is developing.
Specify a custom name for the application and choose the type web application and/or web API.
For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields https://portal.contoso.com/
At this point, a new application is created. Navigate to the Configure section in the menu.
Under the single sign-on section, update the first Reply URL entry to include a path in the URL: http://portal.contoso.com/signin-azure-ad. This corresponds to the RedirectUri site setting value
Under the properties section, locate the client ID field. This corresponds to the ClientId site setting value.
In the footer menu, select View Endpoints and note the Federation Metadata Document field
The left portion of the URL is the Authority value and is in one of the following formats:
To get the service configuration URL, replace the FederationMetadata/2007-06/FederationMetadata.xml path tail with the path .well-known/openid-configuration. For instance, https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration
This corresponds to the MetadataAddress site setting value.
Related site settings
Apply portal site settings referencing the above application.
A standard Azure AD configuration only uses the following settings (with example values):
- Authentication/OpenIdConnect/AzureAD/Authority - https://login.microsoftonline.com/01234567-89ab-cdef-0123-456789abcdef/
- Authentication/OpenIdConnect/AzureAD/ClientId - fedcba98-7654-3210-fedc-ba9876543210
The Client ID and the authority URL do not contain the same value and should be retrieved separately.
- Authentication/OpenIdConnect/AzureAD/RedirectUri - https://portal.contoso.com/signin-azure-ad
Multiple identity providers can be configured by substituting a label for the [provider] tag. Each unique label forms a group of settings related to an identity provider. Examples: AzureAD, MyIdP
|Site Setting Name||Description|
|Authentication/Registration/ExternalLoginEnabled||Enables or disables external account sign-in and registration. Default: true|
|Authentication/OpenIdConnect/[provider]/Authority||Required. The Authority to use when making OpenIdConnect calls. Example:
|Authentication/OpenIdConnect/[provider]/MetadataAddress||The discovery endpoint for obtaining metadata. Commonly ending with the path:/.well-known/openid-configuration . Example:
|Authentication/OpenIdConnect/[provider]/AuthenticationType||The OWIN authentication middleware type. Specify the value of the issuer in the service configuration metadata. Example:
|Authentication/OpenIdConnect/[provider]/ClientId||Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key". For more information: OpenIdConnectAuthenticationOptions.ClientId.|
|Authentication/OpenIdConnect/[provider]/ClientSecret||The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret". For more information: OpenIdConnectAuthenticationOptions.ClientSecret.|
|Authentication/OpenIdConnect/[provider]/RedirectUri||Recommended. The AD FS WS-Federation passive endpoint. Example: https://portal.contoso.com/signin-saml2. For more information: OpenIdConnectAuthenticationOptions.RedirectUri.|
|Authentication/OpenIdConnect/[provider]/Caption||Recommended. The text that the user can display on a sign in user interface. Default: [provider]. For more information: OpenIdConnectAuthenticationOptions.Caption.|
|Authentication/OpenIdConnect/[provider]/Resource||The 'resource'. For more information: OpenIdConnectAuthenticationOptions.Resource.|
|Authentication/OpenIdConnect/[provider]/ResponseType||The 'response_type'. For more information: OpenIdConnectAuthenticationOptions.ResponseType.|
|Authentication/OpenIdConnect/[provider]/Scope||A space separated list of permissions to request. Default: openid. For more information: OpenIdConnectAuthenticationOptions.Scope .|
|Authentication/OpenIdConnect/[provider]/CallbackPath||An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri. For more information: OpenIdConnectAuthenticationOptions.CallbackPath.|
|Authentication/OpenIdConnect/[provider]/BackchannelTimeout||Timeout value for back channel communications. Example: 00:05:00 (5 mins). For more information: OpenIdConnectAuthenticationOptions.BackchannelTimeout.|
|Authentication/OpenIdConnect/[provider]/RefreshOnIssuerKeyNotFound||Determines whether a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. For more information: OpenIdConnectAuthenticationOptions.RefreshOnIssuerKeyNotFound.|
|Authentication/OpenIdConnect/[provider]/UseTokenLifetime||Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. For more information: OpenIdConnectAuthenticationOptions.UseTokenLifetime.|
|Authentication/OpenIdConnect/[provider]/AuthenticationMode||The OWIN authentication middleware mode. For more information: AuthenticationOptions.AuthenticationMode.|
|Authentication/OpenIdConnect/[provider]/SignInAsAuthenticationType||The AuthenticationType used when creating the System.Security.Claims.ClaimsIdentity. For more information: OpenIdConnectAuthenticationOptions.SignInAsAuthenticationType.|
|Authentication/OpenIdConnect/[provider]/PostLogoutRedirectUri||The 'post_logout_redirect_uri'. For more information: OpenIdConnectAuthenticationOptions.PostLogoutRedirectUri.|
|Authentication/OpenIdConnect/[provider]/ValidAudiences||Comma-separated list of audience URLs. For more information: TokenValidationParameters.AllowedAudiences.|
|Authentication/OpenIdConnect/[provider]/ValidIssuers||Comma-separated list of issuer URLs. For more information: TokenValidationParameters.ValidIssuers.|
|Authentication/OpenIdConnect/[provider]/ClockSkew||The clock skew to apply when validating times.|
|Authentication/OpenIdConnect/[provider]/NameClaimType||The claim type used by the ClaimsIdentity to store the name claim.|
|Authentication/OpenIdConnect/[provider]/RoleClaimType||The claim type used by the ClaimsIdentity to store the role claim.|
|Authentication/OpenIdConnect/[provider]/RequireExpirationTime||A value indicating whether tokens must have an 'expiration' value.|
|Authentication/OpenIdConnect/[provider]/RequireSignedTokens||A value indicating whether a System.IdentityModel.Tokens.SecurityToken xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" can be valid if not signed.|
|Authentication/OpenIdConnect/[provider]/SaveSigninToken||A Boolean to control if the original token is saved when a session is created.|
|Authentication/OpenIdConnect/[provider]/ValidateActor||A value indicating whether the System.IdentityModel.Tokens.JwtSecurityToken.Actor should be validated.|
|Authentication/OpenIdConnect/[provider]/ValidateAudience||A Boolean to control if the audience will be validated during token validation.|
|Authentication/OpenIdConnect/[provider]/ValidateIssuer||A Boolean to control if the issuer will be validated during token validation.|
|Authentication/OpenIdConnect/[provider]/ValidateLifetime||A Boolean to control if the lifetime will be validated during token validation.|
|Authentication/OpenIdConnect/[provider]/ValidateIssuerSigningKey||A Boolean that controls if validation of the System.IdentityModel.Tokens.SecurityKey that signed the securityToken xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" is called.|
Enable authentication using a multi-tenant Azure Active Directory application
You can configure your portal to accept Azure Active Directory users from any tenant in Azure and not just a specific tenant by using the multi-tenant application registered in Azure Active Directory. To enable multi-tenancy, set the Multi-tenanted switch to Yes in the Azure Active Directory application.
Related site settings
Multiple identity providers can be configured by substituting a label for the [provider] tag. Each unique label forms a group of settings related to an identity provider. You can create or configure the following site settings in portals to support authentication against Azure Active Directory using a multi-tenanted application:
|Site Setting Name||Description|
|Authentication/OpenIdConnect/[provider]/Authority||The Authority to use when making OpenIdConnect calls. For example:
|Authentication/OpenIdConnect/[provider]/ClientId||The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key".|
|Authentication/OpenIdConnect/[provider]/ExternalLogoutEnabled||Enables or disables external account sign-out and registration. Set this value as True.|
|Authentication/OpenIdConnect/[provider]/IssuerFilter||A wildcard-based filter that matches on all issuers across all tenants. In most cases, use the value:
|Authentication/OpenIdConnect/[provider]/RedirectUri||The reply URL location where the provider sends the authentication response.For example:
|Authentication/OpenIdConnect/[provider]/ValidateIssuer||A Boolean to control if the issuer will be validated during token validation. Set this value as False.|
Configure Dynamics 365 portal authentication
Set authentication identity for a portal
OAuth2 provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals
Facebook App (Page Tab) authentication for portals