CONFIG AUTH OIDC UPDATE

Level

user,modify

History

Appears in 5.0.0
CAIssuer appears in 5.0.1
BindAddr appears in 5.0.1

Description

Update an OIDC authentication profile configuration.

Usage

DomainName=<domain_name>: Domain name identifying the profile and associated OIDC user groups. Must be unique on the firewall (i.e. it does not exist in another OIDC profile and it is not returned by the CONFIG LDAP LIST command).
[NewDomainName=<domain_name>]: New domain name identifying the profile and associated OIDC groups. Must be unique on the firewall (i.e. it does not exist in another OIDC profile and it is not returned by the CONFIG LDAP LIST command).
[State=<0|1>]: Enable (1) or disable (0) the profile (default: 0).
[ProviderType=<MSEntraID|Compliant>]: Type of OIDC Identity Provider. (default: MSEntraID).
[ProviderDesc=<provider_desc>]: Name of the OIDC Identity provider that will be displayed on the OIDC login button of the Captive Portal and the Web Admin (default: \"Microsoft EntraID\").
[IssuerID=<issuer_identifier>]: Used to validate the \"iss\" (issuer) claim of the OIDC ID token.
[ClientID=<application_client_id>]: Identifier of the SNS application in the OIDC Provider. Used to get the OIDC ID token and to validate its \"aud\" (audience) claim (default: <TODO:Put the application client id as soon as published on EntraID application store>).
[ClientSecret=<key>]: Shared with the OIDC Provider and associated to the application client (ClientID). Used to get the OIDC ID token.
[MaxAge=<maximum_authentication_age>]: Allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OIDC Provider. If the elapsed time is greater than this value, the OIDC Provider must attempt to actively re-authenticate the End-User (default: 86400).
[RedirectURLHost=<IP|FQDN|empty string>]: Used in the redirection URLs to which OIDC Provider responses will be sent. Also used to provide URLs that must be filled in on the OP side when registering the SNS application. If this token has no value, URLs are built with the one defined by the SYSTEM IDENT command.
[RedirectURLPort=<port object name (ANY/TCP)|port object num (ANY/TCP)|empty string>]: Used in the redirection URLs to which OIDC Provider responses will be sent. Also used to provide URLs that must be filled in on the OP side when registering the SNS application (default: empty). If RedirectURLHost is not defined, this configuration is not applied and the one configured via CONFIG AUTH ADVANCED HttpsPort is used.
[CAIssuer=<CA name>]: Trusted certificate authority for requests to the OIDC provider.
[BindAddr=<local interface object name|empty string>]: Explicitly define the source interface by specifying one of its IP addresses to use when sending requests to the provider.

Example

CONFIG AUTH OIDC UPDATE DomainName=\"stormshield.onmicrosoft.com\" NewDomainName=\"sns.onmicrosoft.com\" State=1 ProviderType=\"MSEntraID\" ProviderDesc=\"Microsoft EntraID\" IssuerID=\"https://login.microsoftonline.com/b23bd0ce-1a93-4796-802c-0a0ee9889e8f/v2.0\" ClientID=\"3ecfd37f-86f0-4b3f-91c6-3d42ba2db459\" ClientSecret=\"qwU8Q~Y7E2bxx1_4iIbAk8xlZKt_ZVDirVuqdaQy\" MaxAge=\"86400\" RedirectURLHost=\"Firewall_out\" RedirectURLPort=\"oidc_tcp\" CAIssuer=\"oidc_root_ca\"