Identity Provider Checklist
Create and configure one confidential OIDC client OIPA integration.
OIDC Client Configuration
| Configuration | Value |
|---|---|
| clientId | <client-id> |
Enable the following features:
| Feature | Purpose |
|---|---|
| Authorization Code flow | Required for the OIPA browser login flow. |
| Password grant or Direct Access Grant | Required forPASServiceandCycleService. |
| Client Credentials grant | Required for scheduled SCIM synchronization. |
| Refresh tokens | Required for session extension and logout handling. |
| JWKS publishing | Required for token signature validation. |
| End-session or Logout endpoint | Required for SSO logout support. |
Token claims must include:
aud
iss
exp
iat
For PASService, role names under resource_access.<clientId>.roles must match PASService web.xml roles such as POLICY_READ, CLIENT_CREATE, SL_ADMIN, and so on.
For OIPA user provisioning, the mapped IdP groups must match OIPA security group names when SCIM sync is used.
