Identity Providers Configuration

This section details how to configure Identity Providers. Identity Providers are going to be used by Horizon to verify the identity of an end-user based on the authentication performed by an external authorization server.

How to configure an Identity Provider

1. Log in to Horizon Administration Interface.

2. Access Identity Providers from the drawer or card: Security > Access Management > Identity Providers.

3. Click on Add Identity Provider.

General tab

4. Select an identity provider type. Currently only OpenID is supported

OpenID connect

5. Fill in all mandatory fields:

  • Name* (string input):
    Enter a meaningful identity provider name.

  • Provider metadata URL* (string input):
    Enter the OpenID Connect provider metadata URL.

  • Client ID* (string input):
    Identifier generated on the OpenID Connect IDP when setting up a new application (Horizon) to authenticate users on the identity provider.

  • Client Secret* (string input):
    Password associated to the aforementioned identifier (Client ID);

  • Scope* (string input):
    Scope used by Horizon during authentication on the identity provider to authorize access to user’s details.

  • Proxy (string input):
    Proxy used to access Provider metadata URL, if any.

  • Timeout (finite duration):
    Timeout used for authentication on the identity provider. Must be a valid finite duration. By default 10 seconds.

  • Identifier Claim* (string input):
    Dynamic expression defining how to construct the identifier from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user identifier is contained in the login claim, then the configured value should be {{login}}.

  • Email Claim* (string input):
    Dynamic expression defining how to construct the user email from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user email is contained in the 'email' claim, then the configured value should be {{email}}. If the email is not available directly from the claims but can be computed from the 'login' claim by appending a domain, the configured value should be {{login}}@evertrust.fr.

  • Name Claim* (string input):
    Dynamic expression defining how to construct the username from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user name must be constructed as family name, given name and family name is available in the family_name claim, given name is available in the given_name claim, then the configured value should be {{family_name}}, {{given_name}}.

  • Enabled* (boolean):
    Enable/Disable the identity provider.

  • Enabled on UI* (boolean):
    Enable/Disable the identity provider on user interface.

Languages tab

* * Language: Please refer to Languages section to set up localized Identity Provider display name and description.

6. Click on the save button.

You can update Edit Identity Provider Proxy or delete Delete Identity Provider the Identity Provider.

You won’t be able to delete an Identity Provider if it is referenced in any other configuration element.