Set up an external OIDC identity provider
To allow customers to sign in using an external OIDC identity provider, configure the provider in Enterprise login. This includes defining how the provider appears to customers, how Strivacity authenticates with the provider, and (optionally) enabling advanced authorization features such as Pushed Authorization Requests (PAR).
Create the login provider
Following these steps will enable you to set up an external OIDC identity provider (and your application).
-
In the Admin Console, go to Identities → Enterprise login.
-
Select Create.
-
Choose OpenID as the provider type.
Provider details
The fields in the left-hand panel define how the provider is presented to customers and how profile data is handled.
| Field name | Description |
|---|---|
| Name | Enter a display name for the provider. |
| Description | Optional. Add notes to help other administrators identify the configuration. |
| Policy tag | Select an optional tag to apply to this provider. |
| Login button text | Customize the text displayed on the login button for this provider. |
| Login button logo URL | Enter a URL for the logo shown on the login button. |
| Synchronize and store profile data at each login | Retrieve and update profile data from the IdP each time a customer signs in. |
| Only store mapped values | Store only attributes mapped to identity store fields. If disabled, full metadata from the IdP is retained for troubleshooting. |
Enable Only store mapped values after testing to avoid retaining unnecessary data from the IdP.
Configuration
The Configuration tab defines how Strivacity connects to and authenticates with the external identity provider.
| Field name | Description |
|---|---|
| Client ID | The unique identifier issued by the external identity provider for your integration. |
| Client secret | The shared secret issued by the identity provider, used to authenticate Strivacity to the IdP. |
| Token endpoint authorization method override | Defines how the token endpoint authenticates the client (Default, Basic, or Post). |
| Auto discovery | Enable this option to automatically populate endpoint URLs. |
| Auto discovery URL | Optional. Provide the OIDC discovery URL if auto-discovery is disabled. |
| Authorization endpoint | The URL where customers are redirected for authentication at the external IdP. |
| Token endpoint | The URL where Strivacity exchanges the authorization code for an access token. |
| Issuer | The identifier for the IdP issuing the tokens. Used for validation and trust verification. |
| Userinfo endpoint | The URL where Strivacity retrieves customer profile information after authentication. |
| JWKS endpoint | The URL where Strivacity retrieves the IdP’s JWKS to validate token signatures. |
| Scopes | Select standard scopes (Open ID, Profile, Email) or add extra scopes as needed. |
| ACR values | Define an authentication context class reference. |
| Enable message-level encryption | If required by your IdP, enable encryption for message exchange. |
| Private key | Upload the private key used to decrypt incoming messages when message-level encryption is enabled. |
Pushed Authorization Requests (PAR)
The Pushed Authorization Requests (PAR) tab allows you to configure RFC 9126-compliant authorization flows for providers that require authorization requests to be sent directly to a backend endpoint instead of via browser redirects.
When PAR is enabled, Strivacity sends authorization parameters to the provider’s PAR endpoint and uses the returned request_uri during the authorization redirect.
| Field name | Description |
|---|---|
| Enable Pushed Authorization Requests | Enables the use of the RFC 9126 PAR flow for this provider. |
| PAR endpoint URL | The full URL of the provider’s Pushed Authorization Request endpoint. |
| Client authentication method for PAR | Defines how Strivacity authenticates to the PAR endpoint (Basic or Post). The selected method must be supported by the provider. |
When PAR is enabled, the remainder of the OIDC authentication flow remains unchanged. Only the way authorization parameters are transmitted is modified.
Save and next steps
-
Select Save to create the login provider.
-
After saving, open the Claim mappings tab to map IdP claims to your identity store fields.
-
Select Save again.
Updated about 12 hours ago