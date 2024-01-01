Version: 18.x

OIDC Connector V3 Reference

Kind: oidc

Version: v3

Represents an OIDC connector.

Example:



Field Name Description Type kind A resource kind. string metadata Holds resource metadata. Metadata spec An OIDC connector specification. OIDC Connector Spec V3 sub_kind An optional resource sub kind, used in some resources. string version The resource version. It must be specified. Supported values are: v3 . string

Maps a claim to teleport roles.

Example:

claim: "string" value: "string" roles: - "string" - "string" - "string"

Field Name Description Type claim A claim name. string roles A list of static teleport roles to match. []string value A claim value to match. string

A wrapper around duration to set up custom marshal/unmarshal

Configures out-of-band user groups provider. It works by following through the groups claim source, which is sent for "groups" claim when the user's group membership exceeds 200 max item limit.

Example:

disabled: true group_type: "string" graph_endpoint: "string"

Field Name Description Type disabled Specifies that the groups provider should be disabled even when Entra ID responds with a groups claim source. User may choose to disable it if they are using integrations such as SCIM or similar groups importer as connector based role mapping may be not needed in such a scenario. Boolean graph_endpoint A Microsoft Graph API endpoint. The groups claim source endpoint provided by Entra ID points to the now-retired Azure AD Graph endpoint ("https://graph.windows.net"). To convert it to the newer Microsoft Graph API endpoint, Teleport defaults to the Microsoft Graph global service endpoint ("https://graph.microsoft.com"). Update GraphEndpoint to point to a different Microsoft Graph national cloud deployment endpoint. string group_type A user group type filter. Defaults to "security-groups". Value can be "security-groups", "directory-roles", "all-groups". string

Resource metadata

Example:

name: "string" description: "string" labels: "string": "string" "string": "string" "string": "string" expires: revision: "string"

Field Name Description Type description Object description string expires A global expiry time header can be set on any resource in the system. labels A set of labels map[string]string name An object name string revision An opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. string

Contains OIDC MFA settings.

Example:

enabled: true client_id: "string" client_secret: "string" acr_values: "string" prompt: "string" max_age: request_object_mode: "string"

Field Name Description Type acr_values Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR. string client_id ClientID is the OIDC OAuth app client ID. string client_secret The OIDC OAuth app client secret. string enabled Specified whether this OIDC connector supports MFA checks. Defaults to false. Boolean max_age The amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions. Duration prompt An optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. string request_object_mode Determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. If omitted, MFA flows will default to the RequestObjectMode behavior specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for the MFA client. string

An OIDC connector specification. It specifies configuration for Open ID Connect compatible external identity provider: https://openid.net/specs/openid-connect-core-1_0.html

Example:

issuer_url: "string" client_id: "string" client_secret: "string" acr_values: "string" provider: "string" display: "string" scope: - "string" - "string" - "string" prompt: "string" claims_to_roles: - - - google_service_account_uri: "string" google_service_account: "string" google_admin_email: "string" redirect_url: allow_unverified_email: true username_claim: "string" max_age: client_redirect_settings: mfa: pkce_mode: "string" user_matchers: - "string" - "string" - "string" request_object_mode: "string" entra_id_groups_provider:

Field Name Description Type acr_values An Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. string allow_unverified_email Tells the connector to accept OIDC users with unverified emails. Boolean claims_to_roles Specifies a dynamic mapping from claims to roles. []Claim Mapping client_id The id of the authentication client (Teleport Auth Service). string client_redirect_settings Defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. SSO Client Redirect Settings client_secret Used to authenticate the client. string display The friendly name for this provider. string entra_id_groups_provider EntraIDGroupsProvider configures out-of-band user groups provider. It works by following through the groups claim source, which is sent for the "groups" claim when the user's group membership exceeds 200 max item limit. Entra ID Groups Provider google_admin_email The email of a google admin to impersonate. string google_service_account A string containing google service account credentials. string google_service_account_uri A path to a google service account uri. string issuer_url The endpoint of the provider, e.g. https://accounts.google.com. string max_age Duration mfa Contains settings to enable SSO MFA checks through this auth connector. OIDC Connector MFA Settings pkce_mode Represents the configuration state for PKCE (Proof Key for Code Exchange). It can be "enabled" or "disabled" string prompt An optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. string provider The external identity provider. string redirect_url A list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used. Strings request_object_mode Determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. string scope Specifies additional scopes set by provider. []string user_matchers A set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login. []string username_claim Specifies the name of the claim from the OIDC connector to be used as the user's username. string

Contains settings to define which additional client redirect URLs should be allowed for non-browser SSO logins.

Example:

allowed_https_hostnames: - "string" - "string" - "string" insecure_allowed_cidr_ranges: - "string" - "string" - "string"

Field Name Description Type allowed_https_hostnames A list of hostnames allowed for https client redirect URLs []string insecure_allowed_cidr_ranges A list of CIDRs allowed for HTTP or HTTPS client redirect URLs []string

A list of string that can unmarshal from list of strings or a scalar string from scalar yaml or json property