accessmanageroidc

This configuration is required when using the plugin AccessManager_Oidc.

  • Documentation

  • YAML Format

  • XML Format

Fill relevant inputs (blue boxes) and click the blue bars on the left to copy XML configuration snippets.
<accessmanagerOidcConfiguration
>
required

Configuration for Open ID Connect (OIDC) in the Cadenza user management. See also the example configuration.

<identityProvider
>
required

Configuration of the identity provider.

<issuerUrl
>
optional
string

Base URL of the OpenID Connect issuer. With this information, Cadenza can discover several OpenID Connect configuration elements, making the configuration process easier and less error-prone.

It should point to the realm (e.g. https://idp.example.com/realms/myrealm). Cadenza uses this URL to reach the OpenID Connect Discovery endpoint by appending /.well-known/openid-configuration to it, as defined in the OIDC specification.

</issuerUrl>
<client
>
required

Configuration of the OIDC client (cadenza).

<clientId
>
required
string

Id of the client.

</clientId>
<clientSecret
>
required
string

The corresponding client secret.

Usually, the secret has to be encoded (see also Secrets in Configuration).

</clientSecret>
</client>
<authenticationRequestScopes
>
optional
<scope
>
requiredmax. unbounded
string

The scopes used in the authentication request, e.g. 'openid'.

</scope>
</authenticationRequestScopes>
<usePKCE
>
required
boolean

Defines if Proof Key for Code Exchange (PKCE) is enabled during authentication flow. This is enabled by default. Further details on PKCE can be found here: https://tools.ietf.org/html/rfc7636

Default: true

</usePKCE>
<adminService
xs:string
keycloak
>
optional

Optional configuration for the OIDC server-specific admin services. At the moment the only supported provider is keycloak.

</adminService>
<relyingPartyInitiatedLogout
>
required
boolean

Enables the Relying Party initiated Logout. If enabled, then the logout url must be defined if the discovery service via the 'issuerUrl' is not enabled.

Default: false

</relyingPartyInitiatedLogout>
<allowTokenPassthrough
>
required
boolean

Defines if access tokens are stored for the time of the session, maintained to be valid and usable for 3rd party services (e.g. WFS).

Default: false

</allowTokenPassthrough>
<userDetailsTokenName
xs:string
id_token
access_token
>
required

The name of the token which contains information about the user (e.g. name, group membership). Allowed values are access_token and id_token.

Default: id_token

</userDetailsTokenName>
<userNameClaim
>
optional
string

The name of the claim where the userName is set. The default is 'preferred_username' according to the standard claims defined in the OpenID Connect Core 1.0 specification.

Default: preferred_username

</userNameClaim>
<authenticationUrl
>
optional
string

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

The absolute URL for the authentication request of the authorization provider. This is an endpoint in the authorization provider used by Cadenza. The URL normally ends with /auth.

</authenticationUrl>
<tokenUrl
>
optional
string

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

The absolute URL for the token request from Cadenza to the authorization provider.

</tokenUrl>
<logoutUrl
>
optional
string

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

Defines the OIDC logout URL, which is used for the Relying Party initiated Logout.

</logoutUrl>
<adminServiceUrl
>
optional
string

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

At the moment the only supported admin service is keycloak.

The adminServiceUrl defines the base URL for all the services exposed by the Keycloak Administration REST API endpoint. See "Administration REST API" linked in https://www.keycloak.org/documentation.

The URL is expected to contain the realm name as a component of the path, for example, https://idp.example.com/admin/realms/myrealm.

The URL of all Keycloak admin services is derived based on it - for example, the realm user membership service will be https://idp.example.com/admin/realms/myrealm/users.

The service account of the client will be used to communicate with the API, so the required service account roles have to be configured in Keycloak for this service account.

</adminServiceUrl>
<publicKey
>
optional

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

The base64 encoded public key of the authorization provider used for verifying the token.

xs:base64Binary
type
required
=
string

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

The type of the public key. Possible values are listed on https://bitbucket.org/b_c/jose4j/wiki/Home in the table JWK in the column JWK "kty" Parameter Value. Typical values are RSA or EC.

algorithm
required
=
string

Configuration is not required if the discovery service via the issuerUrl is enabled. If both the issuerUrl and this element are defined, the discovered value gets overridden.

The signature algorithm used to verify the token. Possible values are listed on https://bitbucket.org/b_c/jose4j/wiki/Home in the table JWS in the column JWS "alg" Parameter Value. Typical values are RS256 or ES256.

</publicKey>
<groupMapping
Choice: Choose only ONE of the following
<claim
>
required
token

The token claim name where the group information is taken from.

For example, in a token that contains a claim groups like

{ …
"groups": [ "oidcGroup1": "oidcGroup2" ]
…}

a claim-configuration of groups would resolve to those groups: [ "oidcGroup1", "oidcGroup1" ].

</claim>
<claimPath
>
required
string

A JsonPath expression to refer to the place(s) in the token where the group information is taken from.

For example, in a token that contains a claim groups like

{ …
"groups": [
{ "id": "oidcGroup1", "printName": "lorem" },
{ "id": "oidcGroup2", "printName": "ipsum" },
]
…}

a claimPath-configuration of $.groups[*].id would resolve to those groups: [ "oidcGroup1", "oidcGroup1" ].

</claimPath>
Choice End
<staticMapping
>
optionalmax. unbounded

DEPRECATED (23.02.2026): Use dynamic mapping in combination with the ui feature Group mapping IDs instead.

A static mapping from fixed token claim values to corresponding Cadenza group names. The static group mapping will map the given group from the token (claimValue) to the group in Cadenza (groupName).

claimValue
optional
=
token
groupName
optional
=
token
</staticMapping>
<dynamicMapping
>
optional
boolean

The dynamic group mapping can be used, if the names in the token and in Cadenza are identical (the name in Cadenza is one of the group mapping IDs). If the token contains groups 'A' and 'B', then the user in Cadenza will get the Cadenza groups with the group mapping IDs 'A' and 'B', if they exist.

Default: false

</dynamicMapping>
>
optional

Configuration of the group mapping between token claims and Cadenza-defined groups.

</groupMapping>
<propertyMapping
<property
name
required
=
token

The property name by which the information shall be accessible by means of user variable if it is present in the ID token.

Choice: Choose only ONE of the following
<claim
>
required
token

The JWT claim name where the property values are read from.

</claim>
<claimPath
>
required
string

A JsonPath expression to refer to the place(s) in the token where the property values are read from.

For example, in a token that contains a claim like

{ …
"foo": [
{ "bar": "spam" },
{ "bar": "eggs" }
]
…}

a claimPath of $.foo[*].bar would yield [ "spam", "eggs" ] as property values.

</claimPath>
Choice End
>
requiredmax. unbounded
</property>
>
optional

Configuration of additional claims to be passed to Cadenza as a user property after authentication, so that it can be used via a user variable. The following claims are always mapped to user properties, regardless of configuration:

  • Whatever claim name is defined as userNameClaim above to common:login

  • name to common:realName

  • email to common:email

Claim content can be referenced either by a claim name, or, for more intricate extractions, by a JSONPath expression into the token content.

If the claim content is a JSON array, the string value of each element is available in the user property, otherwise the string value of the whole claim content. Null or undefined values are skipped. Remember that user properties are always mapped as lists of strings.

This means that

  • "claim": "foo" and "claim": [ "foo" ] are both mapped as 'foo'.

  • "claim": [ 123, "456", { "k": "v" } ] is mapped as '123', '456', '{ "k": "v" }'.

  • "claim": [] is not mapped to a user property, as there are no values inside.

(In all cases, single quotes in the result are meant to enclose the strings, they are not part of the strings themselves.)

</propertyMapping>
</identityProvider>
</accessmanagerOidcConfiguration>
This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. 
cadenzaconfig:
  settings:
    accessmanageroidc:
      identityProvider:
        issuerUrl: "text"
        client:
          clientId: "text"
          clientSecret: "text"
        authenticationRequestScopes:
        - "text"
        - "text"
        usePKCE: true
        adminService: "keycloak"
        relyingPartyInitiatedLogout: true
        allowTokenPassthrough: true
        userDetailsTokenName: "id_token"
        userNameClaim: "text"
        authenticationUrl: "text"
        tokenUrl: "text"
        logoutUrl: "text"
        adminServiceUrl: "text"
        publicKey:
          type: "text"
          algorithm: "text"
          value: "dGV4dA=="
        groupMapping:
          claim: "text"
          claimPath: "text"
          staticMapping:
          - claimValue: "text"
            groupName: "text"
          - claimValue: "text"
            groupName: "text"
          dynamicMapping: true
        propertyMapping:
        - name: "text"
          claim: "text"
          claimPath: "text"
        - name: "text"
          claim: "text"
          claimPath: "text"

Filename: accessmanageroidc-config.xml

This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<accessmanagerOidcConfiguration>
  <identityProvider>
    <issuerUrl>text</issuerUrl>
    <client>
      <clientId>text</clientId>
      <clientSecret>text</clientSecret>
    </client>
    <authenticationRequestScopes>
      <scope>text</scope>
      <scope>text</scope>
    </authenticationRequestScopes>
    <usePKCE>true</usePKCE>
    <adminService>keycloak</adminService>
    <relyingPartyInitiatedLogout>true</relyingPartyInitiatedLogout>
    <allowTokenPassthrough>true</allowTokenPassthrough>
    <userDetailsTokenName>id_token</userDetailsTokenName>
    <userNameClaim>text</userNameClaim>
    <authenticationUrl>text</authenticationUrl>
    <tokenUrl>text</tokenUrl>
    <logoutUrl>text</logoutUrl>
    <adminServiceUrl>text</adminServiceUrl>
    <publicKey type="text" algorithm="text">dGV4dA==</publicKey>
    <groupMapping>
      <claim>text</claim>
      <claimPath>text</claimPath>
      <staticMapping claimValue="text" groupName="text"/>
      <staticMapping claimValue="text" groupName="text"/>
      <dynamicMapping>true</dynamicMapping>
    </groupMapping>
    <propertyMapping>
      <property name="text">
        <claim>text</claim>
        <claimPath>text</claimPath>
      </property>
      <property name="text">
        <claim>text</claim>
        <claimPath>text</claimPath>
      </property>
    </propertyMapping>
  </identityProvider>
</accessmanagerOidcConfiguration>