Identity Providers Configuration

This section details how to configure Identity Providers. Identity Providers are going to be used by Horizon to verify the identity of an end-user based on the authentication performed by an external authorization server.

How to configure an Identity Provider

1. Log in to Horizon Administration Interface.

2. Access Identity Providers from the drawer or card: Security  Access Management  Identity Providers.

3. Click on Add Identity Provider.

General tab

4. Select an identity provider type. Currently only OpenID is supported

OpenID connect

5. Fill in all mandatory fields:

  • Name* (string input):
    Enter a meaningful identity provider name.

  • Provider metadata URL* (string input):
    Enter the OpenID Connect provider metadata URL.

  • Client ID* (string input):
    Identifier generated on the OpenID Connect IDP when setting up a new application (Horizon) to authenticate users on the identity provider.

  • Client Secret* (string input):
    Password associated to the aforementioned identifier (Client ID);

  • Scope* (string input):
    Scope used by Horizon during authentication on the identity provider to authorize access to user’s details.

  • Proxy (string select):
    Proxy used to access Provider metadata URL, if any.

  • Timeout (finite duration):
    Timeout used for authentication on the identity provider. Must be a valid finite duration. By default 10 seconds.

  • Identifier Claim* (string input):
    Dynamic expression defining how to construct the identifier from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user identifier is contained in the login claim, then the configured value should be {{login}}.

  • Email Claim* (string input):
    Dynamic expression defining how to construct the user email from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user email is contained in the 'email' claim, then the configured value should be {{email}}. If the email is not available directly from the claims but can be computed from the 'login' claim by appending a domain, the configured value should be {{login}}@evertrust.fr.

  • Name Claim* (string input):
    Dynamic expression defining how to construct the username from the OpenID Connect claims. Claim names must be declared between {{ and }} characters. For example, if the user name must be constructed as family name, given name and family name is available in the family_name claim, given name is available in the given_name claim, then the configured value should be {{family_name}}, {{given_name}}.

  • Enable* (boolean):
    Enable/Disable the identity provider.

  • Enabled on UI* (boolean):
    Enable/Disable the identity provider on user interface.

Claims mapping tab

This tab allows you to automatically assign roles and teams to users based on claims returned by the OIDC provider (e.g. group memberships). When a user authenticates, Horizon extracts values from the OIDC claims and maps them to pre-existing roles and teams.

When claims mapping is configured, all previously assigned roles, teams and permissions for the user are replaced on each login to match the current claim values. Manual role or team assignments will be overwritten.

  • Claim extraction (Computation rule input):
    A computation rule that defines how to extract values from the OIDC claims. For array claims, each element is indexed (e.g. a groups claim containing ["admins", "developers"] is exposed as groups.1 = admins and groups.2 = developers). Use the [[groups]] computation rule syntax to extract all values from such an array.

  • Claim mappings (list of claim value → roles and teams):
    A list of mappings that associate a specific claim value to one or more roles and/or teams. Each entry must reference at least one role or team. Only claim values that match an entry will result in role/team assignments.

Example: mapping OIDC groups to Horizon roles and teams

Suppose your OIDC provider returns a groups claim containing the user’s group memberships. You want to map these groups to Horizon roles and teams as follows:

  • Users in the admins group get the AdminRole role and the AdminTeam team

  • Users in the developers group get the DevTeam team

Configure the claims mapping as:

  • Claim extraction: [[groups]]

  • Claim mappings:

    • admins → Roles: AdminRole, Teams: AdminTeam

    • developers → Teams: DevTeam

With this configuration, a user who belongs to both admins and developers groups will be assigned the AdminRole role and both the AdminTeam and DevTeam teams upon login.

Languages tab

You can add more languages by clicking Add.

  • Language* (select):
    Select a language. Supported languages are:

    • en: English

    • fr: French

  • Display Name (string input):
    Enter a display name. This will be the localized name of the provider on the login page.

  • Description (string input):
    Enter a description. This will be displayed in a tooltip when the provider is chosen on the login page.

You can delete Delete Language the localization.

6. Click on the save button.

You can update Edit Identity Provider Proxy or delete Delete Identity Provider the Identity Provider.

You won’t be able to delete an Identity Provider if it is referenced in any other configuration element.