Configure Domino REST API to use an OIDC provider
About this task
The procedure guides you on how to configure Domino REST API to use an OpenID Connect (OIDC) provider for authentication.
Client Ids
When configuring an external IdP using OIDC or OIDC-idpcat, you need to provide a clientId. It's recommended to use Domino
, but the admins of your IdP might have other ideas. In any case, that's the clientId for the REST server. It's NOT the one for the AdminUI or the Office Forms Based Authentication (OFBA) for attachment editing. To be fully operational, you need to configure at least three clients on your IdP:
Domino
for the server (client secret might be handeled byidpcat.nsf
)keepadminui
for the Domino REST API admin clientkeepofba
for the Office document round trip experience- One each for your custom client applications (with clientSecret for servers or PKSE for clients)
Use the internal IdP as learning resource
The application configuration provided by the internal IdP makes it easy to configure and retrieve client-specific JWT that have all the required fields. Test your application with that and use the defined proprties, scopes foremost, to requests the external IdP client configurations.
Procedure
- Create a JSON file using a text editor.
-
Copy the JSON object to the JSON file.
{ "oidc": { "any-name": { "active": true, "providerUrl": "https://some.keycloak.server/auth/realms/some-realm", "clientId": "some-clientid", "clientSecret": "some-clientsecret", "userIdentifier": "dn", "userIdentifierInLdapFormat": true } } }
-
Set the values of the
providerUrl
,clientId
, andclientSecret
parameters to the values from your identity provider, such as Keycloak.{ "oidc": { "any-name": { "active": true, "providerUrl": "https://some.keycloak.server/auth/realms/some-realm", "clientId": "a3fe24-88dd-a003d3", "clientSecret": "16072d-cf96-1ea8d9", "userIdentifier": "dn", "userIdentifierInLdapFormat": true } } }
-
Save the JSON file in the
keepconfig.d
directory.Tip
Use a filename for the JSON file that reveals its purpose. To learn more on how JSON files in
keepconfig.d
are processed, see Understanding configuration. -
Restart Domino REST API on all servers.