Versions Compared

Old Version 1

changes.mady.by.user admin

Saved on

compared with

New Version Current

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add Auth0 and login.gov OIDC configuration examples for 10.1.5 (completes Update 5's four-provider set)

...

Field

Value

Name

Keycloak

AuthType

OIDC

Active

true

AuthOptions

Authority=https://keycloak.corp.local/realms/factory;ClientId=fwx-runtime;ClientSecretRef=/secret:KeycloakClientSecret;RedirectUri=https://factory.corp.local/oidc/callback;Scopes=openid,profile,email,groups;UsernameClaim=preferred_username;GroupsClaim=groups;DefaultPolicy=Operators

Auth0 via OIDC

  1. In the Auth0 dashboard, create a Regular Web Application; note the Domain, Client ID, and Client Secret.

  2. Add an Allowed Callback URL: https://factory.corp.local/oidc/callback.

  3. Store the client secret in Security → Secrets as Auth0ClientSecret.

  4. If group-to-Permission Group mapping is needed, add a roles claim to the ID token via an Auth0 Action (Auth0 does not emit a groups claim by default).

  5. In Security → Identity Providers, create a row:

Field

Value

Name

Auth0

AuthType

OIDC

Active

true

AuthOptions

Authority=https://<tenant>.auth0.com/;ClientId=<application-client-id>;ClientSecretRef=/secret:Auth0ClientSecret;RedirectUri=https://factory.corp.local/oidc/callback;Scopes=openid,profile,email;UsernameClaim=email;GroupsClaim=roles;DefaultPolicy=Operators

login.gov via OIDC

login.gov is the U.S. federal single sign-on service. Two operational specifics distinguish it from a typical OIDC IdP: client authentication is by signed JWT assertion (private_key_jwt), not a shared client secret, and the IdP does not emit a groups claim — every authenticated user receives the row's DefaultPolicy.

  1. Register the FrameworX deployment in the login.gov partner dashboard (sandbox: https://idp.int.identitysandbox.gov; production: https://secure.login.gov). Upload the public key of the JWT signing certificate FrameworX will use for client assertion.

  2. Note the assigned Client ID and select the IAL / AAL level appropriate to the deployment (IAL1 / AAL1 for basic identity; IAL2 / AAL2 when verified identity and MFA are required).

  3. Add the redirect URI https://factory.corp.local/oidc/callback in the partner dashboard.

  4. Store the JWT signing key reference in Security → Secrets as LoginGovSigningKey — resolved server-side at client-assertion time.

  5. In Security → Identity Providers, create a row:

Field

Value

Name

LoginGov

AuthType

OIDC

Active

true

AuthOptions

Authority=https://secure.login.gov;ClientId=<client-id>;ClientSecretRef=/secret:LoginGovSigningKey;RedirectUri=https://factory.corp.local/oidc/callback;Scopes=openid,email;UsernameClaim=email;DefaultPolicy=Operators

login.gov does not pass group claims, so omit GroupsClaim — every authenticated user falls through to the row's DefaultPolicy (typically Operators). Use the sandbox Authority (https://idp.int.identitysandbox.gov) for development; switch to https://secure.login.gov for production.

PIV and smartcard authentication

...