Use an External OIDC Identity Provider

To use an external OIDC Identity Provider, do the following:

  1. Create an OAuth2 client .
  2. Update the OIDC Settings of the organization .

Create an OAuth2 Client

Create an OAuth2 client with the following configuration:

  • Callback URL: https://<organization-hostname>/login/oauth2/code/<organization-hostname>
  • Grant types: Implicit, Authorization code, Refresh token
  • Claims: openid, profile, offline_access

When the OAuth2 client is created, copy and store the following parameters:

  • The client ID
  • The client secret

You will have to provide them in an API request, which you will be creating as described further in this article .

Update the OIDC Settings of the Organization

Use the following template to create an API request for updating the OIDC settings of the Organization:

You will have to provide the $GDC_API_TOKEN in the request header.

curl --request PUT \
  --header "Authorization: Bearer $GDC_API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
  "data": {
    "id": "alpha",
    "type": "organization",
    "attributes": {
      "name": "Alpha Corp.",
      "hostname": "analytics.alpha.example.com",
      "oauthIssuerLocation": "https://<your-issuer-url>",
      "oauthClientId": "<your-client-id>",
      "oauthClientSecret": "<your-client-secret>"
    }
  }
}'  https://analytics.alpha.example.com/api/entities/admin/organizations/alpha

Example: A sample API request for setting up authentication with the Auth0 Identity Provider

curl --request PUT \
  --header 'Authorization: Bearer YWRtaW46Ym9vdHN0cmFwOk15U2VjcmV0UGFzc3dvcmQ=' \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
  "data": {
    "id": "alpha",
    "type": "organization",
    "attributes": {
      "name": "Alpha Corp.",
      "hostname": "analytics.alpha.example.com",
      "oauthIssuerLocation": "https://alpha-corp.auth0.com/",
      "oauthClientId": "abcdefghijklmnopqrstuvwxyz0123",
      "oauthClientSecret": "abcdefghijklmno-ABCDEFGHIJKLMNOPQRS-abcdefghi_ABCDEFG"
    }
  }
}'  https://analytics.alpha.example.com/api/entities/admin/organizations/alpha

Once you have updated the OIDC settings, map the users stored in the Identity Provider to your Organization .

Known limitations

Auth0 specific notes

Auth0 Issuer has a trailing slash in its configuration. When configuring the external OIDC provider for your organization, make sure that the oauthIssuerLocation value ends with a trailing slash, like https://mycompany.eu.auth0.com/. Otherwise, the authentication will not work.

Known issues with Auth0 IdP:

  • Logout doesn’t work

Google

Known issues with Google IdP:

  • Logout doesn’t work

Amazon Cognito

Amazon Congnito distorts state variable that GoodData.CN sends during the OAuth2 flow. Redirect URL returned by Cognito is invalid and therefore Amazon Congnito can not be used as Identity Provider for GoodData.CN.