Skip to content

Configure Domino REST API to use an OIDC provider

About this task

The procedure guides you on how to configure Domino REST API to use an OpenID Connect (OIDC) provider for authentication.

Client Ids

When configuring an external IdP using OIDC or OIDC-idpcat, you need to provide a clientId. It's recommended to use Domino, but the admins of your IdP might have other ideas. In any case, that's the clientId for the REST server. It's NOT the one for the AdminUI or the Office Forms Based Authentication (OFBA) for attachment editing. To be fully operational, you need to configure at least three clients on your IdP:

  • Domino for the server (client secret might be handeled by idpcat.nsf)
  • keepadminui for the Domino REST API admin client
  • keepofba for the Office document round trip experience
  • One each for your custom client applications (with clientSecret for servers or PKSE for clients)

Use the internal IdP as learning resource

The application configuration provided by the internal IdP makes it easy to configure and retrieve client-specific JWT that have all the required fields. Test your application with that and use the defined proprties, scopes foremost, to requests the external IdP client configurations.

Procedure

  1. Create a JSON file using a text editor.
  2. Copy the JSON object to the JSON file.

    {
      "oidc": {
        "any-name": {
          "active": true,
          "providerUrl": "https://some.keycloak.server/auth/realms/some-realm",
          "clientId": "some-clientid",
          "clientSecret": "some-clientsecret",
          "userIdentifier": "dn",
          "userIdentifierInLdapFormat": true
        }
      }
    }
    
  3. Set the values of the providerUrl, clientId, and clientSecret parameters to the values from your identity provider, such as Keycloak.

    {
      "oidc": {
        "any-name": {
          "active": true,
          "providerUrl": "https://some.keycloak.server/auth/realms/some-realm",
          "clientId": "a3fe24-88dd-a003d3",
          "clientSecret": "16072d-cf96-1ea8d9",
          "userIdentifier": "dn",
          "userIdentifierInLdapFormat": true
        }
      }
    }
    
  4. Save the JSON file in the keepconfig.d directory.

    Tip

    Use a filename for the JSON file that reveals its purpose. To learn more on how JSON files in keepconfig.d are processed, see Understanding configuration.

  5. Restart Domino REST API on all servers.

Rinse and repeat