| clientSecret |
Conditional |
Specifies the secret that confidential client flows use. |
a1b2c3d4e5f6 |
| issuer |
Yes |
Specifies the OIDC provider realm or tenant URL. It must match the tokenissclaim when issuer validation is enabled. |
https://idp.example.com/auth/realms/oipa |
| scimUri |
Optional |
Specifies the URI that the OIPA scheduled SCIM sync uses. |
https://idp.example.com/scim/v2/Users |
| audience |
Optional |
Specifies the expected token audience. |
oipa-api |
| clientId |
Yes |
Specifies the OIDC client that the application uses. |
oipa-web-client |
| redirectUri |
Conditional |
Specifies the URI that the OIPA authorization-code flow uses. It must exactly match a redirect URI registered in the identity provider. (For PASJava) |
https://oipa.example.com/callback |
| companyMapping |
Optional |
Injects static OIPA company and security group GUIDs into the validated claims so that OIPA can create new SSO users locally. |
{ "companyGuid": "12345", "securityGroupGuid": "67890" } |
| userMapping |
Yes |
Maps OIPA claim names to IdP token claim names. |
{ "email": "mail", "userId": "preferred_username" } |
