Registering an OIDC authentication service
- Last Updated: March 6, 2025
- 2 minute read
- Hybrid Data Pipeline
- Version 4.6
- Documentation
Before a user account can be configured to use OIDC, an OIDC service must be registered with Hybrid Data Pipeline. As described in the following sections, you can register an OIDC authentication service either through the Web UI or the Authentication API.
Note:
- An external authentication service registered in the default system tenant is available across all tenants. However, an external authentication service registered in a child tenant is only available in that tenant. After a service is registered with a tenant, the tenant administrator can create or modify user accounts to authenticate end user credentials against the service.
- A user with the Administrator (12) permission can register an external authentication service on any tenant within the system. A user with the RegisterExternalAuthService (26) permission can register an external authentication service on any tenant to which he or she has administrative access.
Register OIDC service via the Web UI
Take the following steps to register an OIDC service via the Web UI.
- Navigate to the Manage
Authentication view by clicking the manage authentication icon
. - Select the tenant for which you are registering the service from the Select Tenant dropdown.
- Click + New Service. You will be directed to the Create Authentication Service screen.
- Provide the following information.
- The name and description of the service
- The service type (OIDC)
- Issuer URL (The URL of the OpenID provider used to access and validate the token.)
- HDP Username Identifier (Optional. The specific key in the token which contains the authenticated user name.)
- Token Validation method (Specifies the method to validate a token. The valid values are JSON Web Token (JWT) and Introspect.)
- Claims to validate (Optional. A JSON object which contains the claims to be validated against the token.)
- Click Save.
What to do next:
Configure Hybrid Data Pipeline user accounts to use the OIDC service. See Configuring user accounts for OIDC authentication for details.
Register OIDC service via the Authentication API
The following POST operation registers the OIDC service. For further details, see Register an external authentication
service.
Request
POST https://MyServer:8443/api/admin/auth/servicesRequest payload
{
"name": "OIDC",
"tenantId": 5,
"description": "OIDC Authentication plugin",
"authDefinition": {
"issuerUrl": "https://login.microsoftonline.com/db26-4d26-ae1-d05535/v3.0",
"hdpUsernameIdentifier": "test_username",
"attrValidation": {
"type": "introspect",
"introspectAuthMethod": "client_secret_post",
"clientid": "2a9f8-3a06-984f-5a34e8f",
"clientSecret": "ozQ~qZJjbcy4qkbL.5",
"claimsToValidate": {
"aud": "b17a9f23-0845-763-d890e9f1",
"iss": "https://login.microsoftonline.com/da67-ae1a-d0585/v3.0",
}
}
},
"authTypeId": 5
}Response payload
Status code: 201
Successful response{
"id": 5,
"name": "OIDC",
"tenantId": 5,
"description": "OIDC Authentication plugin",
"authDefinition": {
"issuerUrl": "https://login.microsoftonline.com/db26-4d26-ae1-d05535/v3.0",
"hdpUsernameIdentifier": "test_username",
"attrValidation": {
"type": "introspect",
"introspectAuthMethod": "client_secret_post",
"clientid": "2a9f8-3a06-984f-5a34e8f",
"clientSecret": "ozQ~qZJjbcy4qkbL.5",
"claimsToValidate": {
"aud": "b17a9f23-0845-763-d890e9f1",
"iss": "https://login.microsoftonline.com/da67-ae1a-d0585/v3.0",
}
}
},
"lastModifiedTime": "2021-11-26T08:30:16.006Z",
"authTypeId": 5,
"tenantName": "OrgN"
}What to do next
Configure Hybrid Data Pipeline user accounts to use the OIDC service. See Configuring user accounts for OIDC authentication for details.