Overview

Native SSO uses OpenID Connect (OIDC) and is enabled per application through application.isSSOEnabled=true. When enabled, the application loads oidc-config.yaml from the runtime classpath and use the configured OIDC issuer discovery endpoint.

{issuer}/.well-known/openid-configuration

The implementation expects the provider discovery document to expose at least:

authorization_endpoint

token_endpoint

jwks_uri

end_session_endpoint

Common Configuration

Enable SSO in each runtime property file that uses Native SSO:

application.isSSOEnabled=true

oidc-config.yaml

Use the following structure:

Note: Replace all environment-specific values and avoid committing real secrets to source control.

oidc:
  issuer: https://<idp-host>/realms/<realm>
  clientId: <client-id>
  clientSecret: <client-secret>
  audience: <audience>

  # Required for OIPA browser login flow
  redirectUri: https://<oipa-host>/PASJava

  # Required only for OIPA SCIM user sync
  scimUri: https://<idp-host>/realms/<realm>/scim/v2/Users

  tokenValidation:
    validateIssuer: true
    validateAudience: true

  userMapping:
    clientNumber: preferred_username
    firstName: given_name
    lastName: family_name
    email: email

  companyMapping:
    primaryCompanyGUID: <default-oipa-company-guid>
    defaultSecurityGroupGUID: <default-oipa-security-group-guid>