Skip to main content
After creating user identities in an external OpenID Connect (OIDC) identity provider supported by NexusOne, you must connect NexusOne to the OIDC provider. Connecting to an identity provider ensures that the user identities you created can authenticate with NexusOne.

Connect to an OIDC identity provider

Perform these steps to connect to an OIDC identity provider.
  1. Log in to NexusOne.
  2. On the top navigation bar, hover your mouse over Govern and then select Identity Provider.
  3. Click the plus + icon in the top right corner of the page to choose a provider.
  4. Select a provider.
  5. Configure the provider with the following details:
    1. In the Display Name field, enter a provider display name. It’s shown in NexusOne’s UI.
    2. In the Alias field, enter a unique name. It must be in lowercase and contain hyphens.
    3. Use the toggle button to Enable or Disable the provider.
    4. Create an OIDC app in the provider’s portal that represents NexusOne.
    5. Copy NexusOne’s redirect URI shown in the Redirect URI / Callback URL field and paste it into the provider’s Allowed Redirect URIs / Callback list.
    6. In the Issuer URL field, enter an Issuer URL to an endpoint or use the NexusOne search button to discover an endpoint.
    7. In the Client ID field, enter a client ID. This is the public identifier for the NexusOne app you created in the provider.
    8. In the Client Secret field, enter a client secret associated with the client ID.
    9. In the Authorization URL field, enter an authorization URL. This is the provider’s endpoint that NexusOne directs a user’s browser to so they can authenticate.
    10. In the Token URL field, enter a token URL. This is the provider’s OAuth 2.0 token endpoint NexusOne speaks with to exchange the authorization code for tokens such as an ID token and an access token.
    11. In the UserInfo URL field, enter a user info URL. This is the provider’s OpenID Connect UserInfo endpoint that NexusOne can call with an access token to fetch user profile claims such as an email or name, if they’re not all in the token.
    12. In the Scopes field, enter scopes. Scopes are space-separated permissions and user information to request from the provider.
    13. From the Sync Mode list, select a sync mode. The sync mode determines how NexusOne syncs the user identities from the provider. The sync mode can be one of the following:
      • FORCE: NexusOne forces the sync mode.
      • IMPORT: NexusOne imports the user identities from the provider.
      • INHERIT: NexusOne inherits the user identities from the provider.
      • LEGACY: NexusOne uses a legacy sync mode.
    14. Select whether to validate the token signature or not. When enabled, NexusOne verifies that tokens were cryptographically signed by the provider.
    15. Select whether to enable Proof Key for Code Exchange (PKCE) or not. It reduces code interception/replay risk.
    16. Click Next.
  6. Configure attribute mapping between the identity provider and user accounts.
    1. In the IdP Claim field, enter a user profile claim name.
    2. In the User Attribute field, enter a NexusOne user attribute to map the claim to.
    3. From the Sync list, select a sync option for the attribute mapping. The sync mode can be one of the following:
      • FORCE: NexusOne forces the sync mode.
      • IMPORT: NexusOne imports the user identities from the provider.
      • INHERIT: NexusOne inherits the user identities from the provider.
    4. In the Group Mapping section, enter a group name and select a sync option.
  7. Click Next.
  8. Review your configuration and then click Create Identity Provider.

Additional resources