Configure Open ID Connect provider settings for portals

This topic applies to Dynamics 365 portals and later versions.

OpenID Connect external identity providers are services that conform to the Open ID Connect specifications. Integrating a provider involves locating the authority (or issuer) URL associated with the provider. A configuration URL can be determined from the authority which supplies metadata required during the authentication workflow. The provider settings are based on the properties of the OpenIdConnectAuthenticationOptions class.

Examples of authority URLs are:

Each OpenID Connect provider also involves registering an application (similar to that of an OAuth 2.0 provider) and obtaining a Client Id. The authority URL and the generated application Client Id are the settings required to enable external authentication between the portal and the identity provider.


The Google OpenID Connect endpoint is currently not supported because the underlying libraries are still in the early stages of release with compatibility issues to address. The OAuth2 provider settings for portals endpoint can be used instead.

OpenID settings for Azure Active Directory

To get started, sign into the Azure Management Portal and create or select an existing directory. When a directory is available follow the instructions to add an application to the directory.

  1. Under the Applications menu of the directory, click the Add button.
  2. Choose Add an application my organization is developing.
  3. Specify a custom name for the application and choose the type web application and/or web API.
  4. For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields
  5. At this point, a new application is created. Navigate to the Configure section in the menu.

    Under the single sign-on section, update the first Reply URL entry to include a path in the URL: This corresponds to the RedirectUri site setting value

  6. Under the properties section, locate the client ID field. This corresponds to the ClientId site setting value.

  7. In the footer menu click the View Endpoints button and note the Federation Metadata Document field

The left portion of the URL is the Authority value and is in one of the following formats:

To get the service configuration URL, replace the FederationMetadata/2007-06/FederationMetadata.xml path tail with the path .well-known/openid-configuration. For instance,

This corresponds to the MetadataAddress site setting value.

Create site settings using OpenID

Apply portal site settings referencing the above application.


A standard Azure AD configuration only uses the following settings (with example values):

Multiple identity providers can be configured by substituting a label for the [provider] tag. Each unique label forms a group of settings related to an identity provider. Examples: AzureAD, MyIdP

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled Enables or disables external account sign-in and registration. Default: true
Authentication/OpenIdConnect/[provider]/Authority Required. The Authority to use when making OpenIdConnect calls. Example: MSDN.
Authentication/OpenIdConnect/[provider]/MetadataAddress The discovery endpoint for obtaining metadata. Commonly ending with the path:/.well-known/openid-configuration . Example: MSDN.
Authentication/OpenIdConnect/[provider]/AuthenticationType The OWIN authentication middleware type. Specify the value of the issuer in the service configuration metadata. Example: MSDN.
Authentication/OpenIdConnect/[provider]/ClientId Required. The client ID value from the provider application. It may also be referred to as an "App ID" or "Consumer Key". MSDN.
Authentication/OpenIdConnect/[provider]/ClientSecret The client secret value from the provider application. It may also be referred to as an "App Secret" or "Consumer Secret". MSDN.
Authentication/OpenIdConnect/[provider]/RedirectUri Recommended. The AD FS WS-Federation passive endpoint. Example: MSDN.
Authentication/OpenIdConnect/[provider]/Caption Recommended. The text that the user can display on a sign in user interface. Default: [provider]. MSDN.
Authentication/OpenIdConnect/[provider]/Resource The 'resource'. MSDN.
Authentication/OpenIdConnect/[provider]/ResponseType The 'response_type'. MSDN.
Authentication/OpenIdConnect/[provider]/Scope A space separated list of permissions to request. Default: openid. MSDN.
Authentication/OpenIdConnect/[provider]/CallbackPath An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri. MSDN.
Authentication/OpenIdConnect/[provider]/BackchannelTimeout Timeout value for back channel communications. Example: 00:05:00 (5 mins). MSDN.
Authentication/OpenIdConnect/[provider]/RefreshOnIssuerKeyNotFound Determines whether a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. MSDN.
Authentication/OpenIdConnect/[provider]/UseTokenLifetime Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. MSDN.
Authentication/OpenIdConnect/[provider]/AuthenticationMode The OWIN authentication middleware mode. MSDN.
Authentication/OpenIdConnect/[provider]/SignInAsAuthenticationType The AuthenticationType used when creating the System.Security.Claims.ClaimsIdentity. MSDN.
Authentication/OpenIdConnect/[provider]/PostLogoutRedirectUri The 'post_logout_redirect_uri'. MSDN.
Authentication/OpenIdConnect/[provider]/ValidAudiences Comma-separated list of audience URLs. MSDN.
Authentication/OpenIdConnect/[provider]/ValidIssuers Comma-separated list of issuer URLs. MSDN.
Authentication/OpenIdConnect/[provider]/ClockSkew The clock skew to apply when validating times.
Authentication/OpenIdConnect/[provider]/NameClaimType The claim type used by the ClaimsIdentity to store the name claim.
Authentication/OpenIdConnect/[provider]/RoleClaimType The claim type used by the ClaimsIdentity to store the role claim.
Authentication/OpenIdConnect/[provider]/RequireExpirationTime A value indicating whether tokens must have an 'expiration' value.
Authentication/OpenIdConnect/[provider]/RequireSignedTokens A value indicating whether a System.IdentityModel.Tokens.SecurityToken xmlns="" can be valid if not signed.
Authentication/OpenIdConnect/[provider]/SaveSigninToken A Boolean to control if the original token is saved when a session is created.
Authentication/OpenIdConnect/[provider]/ValidateActor A value indicating whether the System.IdentityModel.Tokens.JwtSecurityToken.Actor should be validated.
Authentication/OpenIdConnect/[provider]/ValidateAudience A Boolean to control if the audience will be validated during token validation.
Authentication/OpenIdConnect/[provider]/ValidateIssuer A Boolean to control if the issuer will be validated during token validation.
Authentication/OpenIdConnect/[provider]/ValidateLifetime A Boolean to control if the lifetime will be validated during token validation.
Authentication/OpenIdConnect/[provider]/ValidateIssuerSigningKey A Boolean that controls if validation of the System.IdentityModel.Tokens.SecurityKey that signed the securityToken xmlns="" is called.

See also

Configure Dynamics 365 portal authentication
Set authentication identity for a portal
OAuth2 provider settings for portals
WS-Federation provider settings for portals
SAML 2.0 provider settings for portals
Facebook App (Page Tab) authentication for portals