Use an External OIDC Identity Provider
We support only the OpenID Connect (OIDC) Identity Providers that expose the OpenID configuration document (for example, Google, Okta, or Auth0). To find out whether your OIDC Identity Provider does that, check whether the following URL exists:
https://<your-issuer-url>/.well-known/openid-configuration
To use an external OIDC Identity Provider, do the following:
Create an OAuth2 Client
Create an OAuth2 client with the following configuration:
- Callback URL:
https://<organization-hostname>/login/oauth2/code/<organization-hostname> - Grant types:
Implicit,Authorization code,Refresh token - Claims:
openid,profile,offline_access
To properly support the logout action in GoodData Cloud Native (GoodData.CN), your OIDC Identity Provider must advertise end_session_endpoint at the https://<your-issuer-url>/.well-known/openid-configuration endpoint.
If your OIDC Identity Provider supports CORS configuration, add the URL of the Organization’s endpoint URL to the configuration.
When the OAuth2 client is created, copy and store the following parameters:
- The client ID
- The client secret
You will have to provide them in an API request, which you will be creating as described further in this article.
Update the OIDC Settings of the Organization
Use the following template to create an API request for updating the OIDC settings of the Organization:
You will have to provide the
$GDC_API_TOKENin the request header.
curl --request PUT \
--header "Authorization: Bearer $GDC_API_TOKEN" \
--header 'Content-Type: application/vnd.gooddata.api+json' \
--data '{
"data": {
"id": "alpha",
"type": "organization",
"attributes": {
"name": "Alpha Corp.",
"hostname": "analytics.alpha.example.com",
"oauthIssuerLocation": "https://<your-issuer-url>",
"oauthClientId": "<your-client-id>",
"oauthClientSecret": "<your-client-secret>"
}
}
}' https://analytics.alpha.example.com/api/entities/admin/organizations/alpha
Pay extra attention to the URL that you provide in the "oauthIssuerLocation" parameter. You must specify this URL exactly as it is provided by the OIDC Identity Provider. For example, if the URL provided ends with a trailing slash, keep the slash when passing the URL to the API as a value of the "oauthIssuerLocation" parameter.
Example: A sample API request for setting up authentication with the Auth0 Identity Provider
curl --request PUT \
--header 'Authorization: Bearer YWRtaW46Ym9vdHN0cmFwOk15U2VjcmV0UGFzc3dvcmQ=' \
--header 'Content-Type: application/vnd.gooddata.api+json' \
--data '{
"data": {
"id": "alpha",
"type": "organization",
"attributes": {
"name": "Alpha Corp.",
"hostname": "analytics.alpha.example.com",
"oauthIssuerLocation": "https://alpha-corp.auth0.com/",
"oauthClientId": "abcdefghijklmnopqrstuvwxyz0123",
"oauthClientSecret": "abcdefghijklmno-ABCDEFGHIJKLMNOPQRS-abcdefghi_ABCDEFG"
}
}
}' https://analytics.alpha.example.com/api/entities/admin/organizations/alpha
Once you have updated the OIDC settings, map the users stored in the Identity Provider to your Organization.
Known limitations
Auth0 specific notes
Auth0 Issuer has a trailing slash in its configuration. When configuring the
external OIDC provider for your organization, make sure that the oauthIssuerLocation
value ends with a trailing slash, like https://mycompany.eu.auth0.com/. Otherwise,
the authentication will not work.
Known issues with Auth0 IdP:
- Logout doesn’t work
Known issues with Google IdP:
- Logout doesn’t work
Amazon Cognito
Amazon Congnito distorts state variable that GoodData.CN sends during the OAuth2 flow.
Redirect URL returned by Cognito is invalid and therefore Amazon Congnito can not be
used as Identity Provider for GoodData.CN.