This is the complete specification of the OpenID identity provider configuration file.

This is the root element for the list of identity providers.

Identity provider definition.

This element represents a single identity provider configuration.

Identity provider ID.

Identity provider title.

Identity provider description.

Identity display header. Use {0} as a placeholder for the user display name. Example: "Logged in as {0}".

OpenID discovery endpoint.

OpenID authorization endpoint. The value from the appsetting "IdentityProviders.WebRoot" can be merged into this url using "$webroot$".

OpenID token service endpoint. The value from the appsetting "IdentityProviders.WebRoot" can be merged into this url using "$webroot$".

OpenID UserInfo endpoint. The value from the appsetting "IdentityProviders.WebRoot" can be merged into this url using "$webroot$".

OpenID end-session (logout) endpoint. The value from the appsetting "IdentityProviders.WebRoot" can be merged into this url using "$webroot$".

OpenID client identifier.

OpenID client secret.

Signing certificate location.

Signing certificate thumbprint.

Expected token issuer.

OpenID scopes (defaults to "openid").

Template for identity string.

Mapping to specific SAML endpoint

Template for organization party number string for use when user has multiple roles to choose from.

Template for display name string.

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

Length of the State value, in characters. State is not sent if the value is below 1.

Length of the Nonce value, in characters. Nonce is not sent if the value is below 1.

Client Authentication settings.

If the identity provider requires id token on logout, this should be true. Default: false.

Activates or de-activates the specified identity provider.

The LoginHint element defines some sort of hint for the identity provider to display when showing its login screen. The interpretation of the login hint is strongly dependent on the identity provider - in general a simple text can be supplied and displayed by the identity provider, but it may also be possible to supply, for instance, an e-mail address or user login name which the identity provider will then use to prefill the login name field (if such is used).

The cBrain text message identity provider accepts a signed JWT containing a prefilled phone number to send the text message to. For this to work, the attribute "Encoding" must be set to "CBrain" (but this is normally done by the F2 self-service framework itself).

The Client Authentication element contains settings relevant when the client is required to authenticate itself to the Identity Provider. Authentication can be set up using either the ClientSecret of the IdentityProvider element, or a certificate referenced by location and thumbprint. Authentication method can be selected for different endpoints.

Token endpoint authentication method.

Client authentication signing certificate location.

Client authentication signing certificate thumbprint.