Identity Providers Configuration

This section details how to configure Identity Providers. Identity Providers are going to be used by Horizon to verify the identity of an end-user based on the authentication performed by an external authorization server.

How to configure an Identity Provider

1. Log in to Horizon Administration Interface.

2. Access Identity Providers from the drawer or card: Security  Access Management  Identity Providers.

3. Click on Add Identity Provider.

General tab

4. Select an identity provider type. Currently only OpenID is supported

OpenID connect

5. Fill in all mandatory fields:

  • Name* (string input):
    Enter a meaningful identity provider name.

  • Provider metadata URL* (string input):
    Enter the OpenID Connect provider metadata URL.

  • Client ID* (string input):
    Identifier generated on the OpenID Connect IDP when setting up a new application (Horizon) to authenticate users on the identity provider.

  • Client Secret* (string input):
    Password associated to the aforementioned identifier (Client ID);

  • Scope* (string input):
    Scope used by Horizon during authentication on the identity provider to authorize access to user’s details.

  • Proxy (string select):
    Proxy used to access Provider metadata URL, if any.

  • Timeout (finite duration):
    Timeout used for authentication on the identity provider. Must be a valid finite duration. By default 10 seconds.

  • Identifier Claim* (string input):
    Dynamic expression defining how to construct the identifier from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user identifier is contained in the login claim, then the configured value should be {{login}}.

  • Email Claim* (string input):
    Dynamic expression defining how to construct the user email from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user email is contained in the 'email' claim, then the configured value should be {{email}}. If the email is not available directly from the claims but can be computed from the 'login' claim by appending a domain, the configured value should be {{login}}@evertrust.fr.

  • Name Claim* (string input):
    Dynamic expression defining how to construct the username from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user name must be constructed as family name, given name and family name is available in the family_name claim, given name is available in the given_name claim, then the configured value should be {{family_name}}, {{given_name}}.

  • Enable* (boolean):
    Enable/Disable the identity provider.

  • Enabled on UI* (boolean):
    Enable/Disable the identity provider on user interface.

Languages tab

You can add more languages by clicking Add.

  • Language* (select):
    Select a language. Supported languages are:

    • en: English

    • fr: French

  • Display Name (string input):
    Enter a display name. This will be the localized name of the provider on the login page.

  • Description (string input):
    Enter a description. This will be displayed in a tooltip when the provider is chosen on the login page.

You can delete Delete Language the localization.

6. Click on the save button.

You can update Edit Identity Provider Proxy or delete Delete Identity Provider the Identity Provider.

You won’t be able to delete an Identity Provider if it is referenced in any other configuration element.