CAP OpenID Connect integration manual
- A running identity provider
- Access to the CAP server configuration
Identity server setup steps
You will need to check the following in your identity server configuration:
- OpenID Connect Discovery is enabled
- use of the Authorization Code Flow is allowed
- a client name and a client secret are created for CAP
CAP setup steps
For now, the OpenID Connect integration for CAP can only be configured by setting some
environment variables. One way to do so is to edit the
.env file that lies at the root
of your on-premises CAP installation.
Here are the variables you need to set:
OIDC_DISCOVERY_URL: discovery URL, meant for autoconfiguration of the OpenID endpoints. It generally look like
OIDC_CLIENT_NAME: name you assigned to CAP (aka. the client) when you configured your identity server
OIDC_SECRET: secret password associated to the aforementioned client
OIDC_DEFAULT_ORG_ID: the ID of the default organization a user identified by the SSO will belong to
Here are the optional variables you may also set:
OIDC_BUTTON_LABEL: text that will be displayed on the SSO login button
OIDC_USE_PING_FEDERATE: set this to
trueif PingFederate is your identity provider
OIDC_RESOURCE: optional parameter that hints the role claim(s) to be included in the Access Token upon successful user authentication. Set this if required by your identity provider.
Once CAP is configured for using OpenID Connect, you will see a new button on the login page that reads "Log in with OpenID".
You can then click this button to be redirected to a login page managed by your identity provider. Once the credentials are validated by your identity provider, you will be redirected back to CAP.