Docs Menu
Docs Home
/ /
Security
Docs Home
/
Management
/
Ops Manager
/
Security
Docs Home
/
Management
/
Ops Manager
/
Security

Configure Ops Manager Users for OIDC Authentication

Overview

You can use OpenID Connect (OIDC) to manage Ops Manager user authentication and authorization with an external Identity Provider (IdP). When you try to access Ops Manager without an authenticated session, Ops Manager redirects you to your IdP to log in. After you authenticate, you return to Ops Manager.

This tutorial describes how to:

  • Configure OIDC authentication for Ops Manager.

  • Map OIDC groups to Ops Manager Organization Roles and Project Roles.

  • Manage organization and project role mappings with the public API.

Considerations

Use HTTPS for OIDC

HTTPS is strongly recommended for Ops Manager in general, and especially for OIDC. Some IdP integrations might not work correctly if Ops Manager does not use HTTPS.

Prerequisites

To configure OIDC integration, you must perform the following actions in your IdP:

1

Create a client application for Ops Manager.

Add your Ops Manager URL to the list of allowed redirect URIs.

2

(Conditional) Create a user that maps to your Ops Manager Global Owner.

This step is required only if you need to keep the same user.

3

Create a group for the Global Owner role and add the user to it.

4

Create groups for other roles as needed.

Procedure

To configure OIDC authentication:

1

Select OIDC as the authentication method.

In Ops Manager:

  1. Click Admin, General, Ops Manager Config, User Authentication.

  2. Set the User Authentication Method option to OIDC.

2

Configure the OIDC connection settings.

Specify values for the required fields, then set optional fields as needed.

The following table maps the Ops Manager UI fields to the configuration file fields.

Ops Manager UI field
Config file field
Required
Description

Issuer URI

mms.oidc.issuer.uri

Yes

Issuer URI or OIDC metadata discovery document URL.

Client ID

mms.oidc.client.id

Yes

Client identifier assigned to Ops Manager by the IdP.

Client Secret

mms.oidc.client.secret

Yes

Client secret assigned to Ops Manager by the IdP.

Custom CA Certificate (PEM)

mms.oidc.customCaCertificate

No

PEM-encoded CA certificate or certificates to trust when connecting to the IdP. Use this when your IdP uses a self-signed or private CA certificate. You can concatenate multiple certificates.

Enable PKCE (Proof Key for Code Exchange)

mms.oidc.pkce.enabled

Yes

PKCE enablement for the authorization code flow. Recommended and enabled by default. Disable only if your IdP does not support PKCE for confidential clients. Default value: true.

Requested Scopes

mms.oidc.requestedScopes

No

Scope list that Ops Manager requests from the authorization endpoint.

Service Provider Base URL

mms.oidc.sp.baseUrl

No

Base URL for the OIDC service provider. If you do not set this value, Ops Manager uses mms.centralUrl. Use this when you need different URLs to access Ops Manager.

Global Role Owner Groups

mms.oidc.global.role.owner

Yes

Comma-separated list of IdP groups whose members are assigned the Global Owner role. Global Owners have full privileges over this deployment, including all administrative permissions.

Global Automation Admin Groups

mms.oidc.global.role.automationAdmin

No

Comma-separated list of IdP groups whose members are assigned the Global Automation Admin role.

Global Backup Admin Groups

mms.oidc.global.role.backupAdmin

No

Comma-separated list of IdP groups whose members are assigned the Global Backup Admin role.

Global Monitoring Admin Groups

mms.oidc.global.role.monitoringAdmin

No

Comma-separated list of IdP groups whose members are assigned the Global Monitoring Admin role.

Global User Admin Groups

mms.oidc.global.role.userAdmin

No

Comma-separated list of IdP groups whose members are assigned the Global User Admin role.

Global Read Only Groups

mms.oidc.global.role.readOnly

No

Comma-separated list of IdP groups whose members are assigned the Global Read Only role.

OIDC Claim for User First Name

mms.oidc.user.claims.firstName

No

Claim that contains the user first name. Default value: given_name.

OIDC Claim for User Last Name

mms.oidc.user.claims.lastName

No

Claim that contains the user last name. Default value: family_name.

OIDC Claim for User Email

mms.oidc.user.claims.email

No

Claim that contains the user email address. Default value: email.

OIDC Claim for Group Member

mms.oidc.group.claims.member

No

Claim that contains the list of groups Ops Manager uses to map roles to projects and organizations. Default value: groups.

3

Map OIDC groups to organization and project roles.

Associate OIDC groups with organization roles and project roles in the Ops Manager UI.

Note

If you migrate from SAML to OIDC, Ops Manager preserves your existing mappings.

How role mappings work

OIDC role mappings work the same way as SAML role mappings. You map IdP groups to Ops Manager roles for organizations and projects. When a user logs in, Ops Manager assigns roles based on the user's group membership.

Organization role mappings

Organization role mappings associate IdP groups with organization roles.

The organization mapping fields include:

  • OIDC Groups for Organization Owner Role

  • OIDC Groups for Organization Project Creator Role

  • OIDC Groups for Organization Read Only Role

  • OIDC Groups for Organization Member Role

Project role mappings

Project role mappings associate IdP groups with project roles.

The project mapping fields include:

  • OIDC Groups for Project Owner Role

  • OIDC Groups for Read Only Role

  • OIDC Groups for Automation Admin Role

  • OIDC Groups for Backup Admin Role

  • OIDC Groups for Monitoring Admin Role

  • OIDC Groups for User Admin Role

  • OIDC Groups for Data Access Admin Role

  • OIDC Groups for Data Access Read Write Role

  • OIDC Groups for Data Access Read Only Role

Manage role mappings with the public API

You can manage IdP role mappings programmatically using the idpGroupMappings field in the following public APIs:

The idpGroupMappings field is an array that maps Ops Manager roles to IdP groups.

{
  "idpGroupMappings": [
    {
      "idpGroups": [
        "name_of_your_idp_group",
        "another_name_of_idp_group"
      ],
      "roleName": "GROUP_USER_ADMIN"
    }
  ]
}

The following values are valid for organization roleName:

  • ORG_OWNER

  • ORG_GROUP_CREATOR

  • ORG_BILLING_ADMIN

  • ORG_READ_ONLY

  • ORG_MEMBER

The following values are valid for project roleName:

  • GROUP_OWNER

  • GROUP_READ_ONLY

  • GROUP_AUTOMATION_ADMIN

  • GROUP_BACKUP_ADMIN

  • GROUP_MONITORING_ADMIN

  • GROUP_USER_ADMIN

  • GROUP_BILLING_ADMIN

  • GROUP_DATA_ACCESS_ADMIN

  • GROUP_DATA_ACCESS_READ_ONLY

  • GROUP_DATA_ACCESS_READ_WRITE

  • GROUP_CHARTS_ADMIN

  • GROUP_CLUSTER_MANAGER

  • GROUP_SEARCH_INDEX_EDITOR

Backchannel logout

Ops Manager supports OIDC backchannel logout. When your IdP sends a logout token, Ops Manager invalidates the user's session.

Endpoint

  • POST {OPSMANAGER-HOST}:{PORT}/oidc/backchannel-logout

Request

Send a form-encoded request with the logout_token parameter containing a signed JWT.

Requirements

  • Include a valid sub (subject) claim.

  • You can include the sid (session ID) claim for targeted session invalidation.

Ops Manager does not support service provider initiated logout. To log out, users must log out from the IdP.

Back

Configure SAML

Next

Secure with Authentication

On this page