OpenID Providers
Form ID: (SM303020)
By using this form, you can create providers in the system and configure integration settings.
Form Toolbar
The form toolbar includes standard buttons and form-specific buttons and commands. For the list of standard buttons, see Form Toolbar and More Menu. The form-specific commands can be shown as buttons on the form toolbar, as commands on the More menu, or in both places. These commands are listed in the following table in alphabetical order.
| Command | Description |
|---|---|
| Change Name | Opens the Specify New Name dialog box, where you can specify the new name to be displayed on the Sign-In page of MYOB Advanced and click OK. |
| Validate | Generates a URI with the configuration information of the currently selected
provider and validates the configuration against the provider's metadata. The system can perform the validation if the OpenID provider specified in the Issuer Identifier box supports discovery requests. |
| View Provider Metadata | Opens the Provider Metadata dialog box with the
provider's configuration metadata. The metadata can be used to specify settings on
the Authentication Settings tab. The system displays the metadata if the OpenID provider specified in the Issuer Identifier box supports discovery requests. |
| View Redirect URI | Opens the Redirect URI dialog box, where you can copy the tenant's redirect URI. You need this URI to register the MYOB Advanced application with the OpenID provider of your choice and receive public and private keys (Client ID and Client Secret, respectively). |
Summary Area
In this area, you can specify the settings of a new provider or select an existing provider for modification.
| Element | Description |
|---|---|
| Display Name | The name of the provider to be displayed on the Sign-In page of MYOB Advanced. |
| Issuer Identifier | The verifiable identifier to be used for the identity provider. It is a case-sensitive URL using the HTTPS scheme that contains the scheme, host, and optionally, port number and path components; it does not contain query or fragment components. |
| Active | A check box that indicates (if selected) that the configured provider is in use. |
| Client ID | The public key issued to you by the provider. |
| Client Secret | The private key issued to you by the provider. |
| Claim Type for User Identity |
A claim supported by the identity provider that contains information about user identity. You can select one of the following options: sub or oid. The system will use the specified claim for user identification and for binding the user's external account to the MYOB Advanced user profile. We recommend using the configuration guidelines of the OpenID provider of your choice. Tip: If you are working with the Microsoft OpenID
solution, Microsoft recommends using the
oid claim along with the
profile scope. |
| Scope for User Identity | A scope or set of scopes supported by the identity provider that contains claims with information about user identity. You can select either or both of the following options: email and profile. The system will use the claims from the selected scopes for the user identification. |
| Element | Description |
|---|---|
| Browse | Opens the system dialog box you can use to look for the file to be uploaded. |
| Upload | Uploads the selected file and attaches it to the provider's record. You can preview the uploaded file in the Preview area below. |
| Icon File | The name of the file to be displayed next to the provider's name on the Sign-In page. |
Authentication Settings Tab
On this tab, you specify the authentication settings needed to connect with the OpenID provider. If the provider that you have specified in the Issuer Identifier box of the Summary area supports discovery requests, you can click View Provider Metadata on the form toolbar and obtain configuration data for the provider.
| Element | Description |
|---|---|
| Autoconfiguration | A button you can click to make the system to retrieve the provider's metadata
document, validate its content against the set of required parameters, and
automatically fill the settings for the selected provider if the validation has been
successful. The system can perform the automatic configuration if the OpenID provider specified in the Issuer Identifier box of the General Settings tab supports discovery requests. |
| Authorization Endpoint | The endpoint that performs the authentication of a user. |
| Flow |
The authorization flow used by the provider. The default option is Authorization Code Flow, which is supported by the most OpenID providers. We recommend using the configuration guidelines of the OpenID provider of your choice if you would like to change the default authorization flow. The following options are available:
|
| Token Endpoint | The endpoint that returns a token response. An endpoint must be specified if the Authorization Code Flow, Hybrid Flow (Form Post), or Hybrid Flow (Fragment) option is selected in the Flow box. |
| JWK Set Location | The location of the JWK Set document of the provider. |
User Binding Rules Tab
You can use this tab to create a user binding rule. By using the set of conditions defined on this tab, the system will try to automatically bind a user identity to an existing user profile in the tenant the first time this user signs in to the system using the OpenID provider. This tab consists of a check box you use to activate automatic binding and a table in which you specify the conditions.
| Element | Description |
|---|---|
| Automatically Bind Users |
A check box that indicates (if selected) that the automatic binding of users is activated. The system uses the set of conditions specified in the table to check if there is a user profile corresponding to the user information in the ID token received from the OpenID provider. If there is, the system then associates the user identity with the corresponding user profile. |
| Active | A check box that indicates (if selected) that the condition is active and used in the automatic binding of the users if the Automatically Bind Users check box is selected. |
| Brackets | A group of opening brackets to group logical conditions. |
| User Field | The box from the User Settings section on the User Profile (SM203010) form whose value the system will compare with the data it receives from the OpenID provider. |
| Claim Type | The data that the system receives from the OpenID provider in the ID token. The system will compare the received data with the value of the box specified in the User Field column of this row. |
| Verified | A check box that indicates (if selected) that one of the following is true:
The check box is available only if the value selected in the
Claim Type column of this row is |
| Scope | A scope to which the claim selected in the Claim Type cell belongs. |
| Brackets | A group of closing brackets to group logical conditions. |
| Operator | The logical operator to be used between groups of logical conditions. |
User Creation Rules Tab
You can use this tab to create a user creation rule. During a user's initial sign-in using the OpenID provider, the system uses the set of conditions defined on this tab to create a user profile in the selected tenant if the user information from the ID token corresponds to the data defined in the conditions on the tab.
| Element | Description |
|---|---|
| Automatically Add Users |
A check box that indicates (if selected) that the automatic creation of users is activated for the OpenID provider. The system uses the set of conditions specified in the table to create a user profile in the selected tenant if the user information from the ID token corresponds to the data defined in the conditions of the tab. |
| User Type | The user type to be used as a template for creation of a user profile. You define user types on the User Types (EP202500) form. |
| Active | A check box that indicates (if selected) that the condition is active and used in the automatic creation of the users if the Automatically Add Users check box is selected. |
| User Field | The box from the User Settings section on the User Profile (SM203010) form whose value the system will compare with the data it receives from the OpenID provider. |
| Claim Type | The data that the system receives from the OpenID provider in the ID token. The system will compare the received data with the value of the box specified in the User Field column of this row. |
| Verified | A check box that indicates (if selected) that one of the following is true:
This check box is available only if the value selected in the
Claim Type column of this row is |
| Scope | A scope to which the claim selected in the Claim Type cell belongs. |
Role Mapping Rules Tab
You can use this tab to create role mapping rules. The system will automatically override user roles for a new or existing user based on the user information from the ID token based on the mapping rules.
| Element | Description |
|---|---|
| User Roles from Provider Settings |
A check box that indicates (if selected) that each time a user signs in to the system by using the selected OpenID provider, the system assigns the appropriate user roles based on the role mapping rules specified in the table of this tab. If the user signing in to the system is a user created based on a user creation rule defined for the OpenID provider, then the system uses the value defined in the User Type box on the User Creation Rules tab. If the user signing in to the system is an existing user, then the system uses the value defined in the User Type box on the Users (SM201010) form. |
| Claim Type | A claim that you configured on the provider side to return the list of roles. |
| Scope | A scope that you configured on the provider side to return the list of roles. |
| Active | A check box that indicates (if selected) that the condition is active and used in the automatic role mapping if the User Roles from Provider Settings check box is selected. |
| Claim Value |
The specific user role value, which is defined on the OpenID provider side and passed in the claim type from the ID token. |
| Role Name | The name of the role specified in MYOB Advanced. |