External Identity Provider
Configure external OAuth2 and OpenID Connect identity providers for federated authentication. External IdP integration enables users to authenticate using cloud identity providers like Google, GitHub, Azure AD, and Keycloak. Features include IdP registration with client credentials, authorization endpoint configuration, scope management, user ID attribute mapping, and integration with IPA user accounts for hybrid authentication scenarios.
Manage External Identity Provider References.
IPA supports the use of an external Identity Provider for OAuth2.0 Device Flow authentication.
EXAMPLES
Add a new external Identity Provider reference:
ipa idp-add MyIdP --client-id jhkQty13 --auth-uri https://oauth2.idp.com/auth --token-uri https://oauth2.idp.com/token --secretAdd a new external Identity Provider reference using github predefined
endpoints:
ipa idp-add MyIdp --client-id jhkQty13 --provider github --secretFind all external Identity Provider references whose entries include the string
“test.com”:
ipa idp-find test.comExamine the configuration of an external Identity Provider reference:
ipa idp-show MyIdPChange the secret:
ipa idp-mod MyIdP --secretDelete an external Identity Provider reference:
ipa idp-del MyIdP
Commands
Command Description
idp-add Add a new Identity Provider reference.
idp-del Delete an Identity Provider reference.
idp-find Search for Identity Provider references.
idp-mod Modify an Identity Provider reference.
idp-show Display information about an Identity Provider reference.
idp-add
Usage: ipa [global-options] idp-add NAME [options]
Add a new Identity Provider reference.
Arguments
Argument Required Description
NAME yes Identity Provider reference name
Options
Option Description
--auth-uri AUTH-URI OAuth 2.0 authorization endpoint
--dev-auth-uri DEV-AUTH-URI Device authorization endpoint
--token-uri TOKEN-URI Token endpoint
--userinfo-uri USERINFO-URI User information endpoint
--keys-uri KEYS-URI JWKS endpoint
--issuer-url ISSUER-URL The Identity Provider OIDC URL
--client-id CLIENT-ID OAuth 2.0 client identifier
--secret SECRET OAuth 2.0 client secret
--scope SCOPE OAuth 2.0 scope. Multiple scopes separated by
space
--idp-user-id IDP-USER-ID Attribute for user identity in OAuth 2.0 userinfo
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--provider PROVIDER Choose a pre-defined template to use
--organization ORGANIZATION Organization ID or Realm name for IdP provider
templates
--base-url BASE-URL Base URL for IdP provider templates
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
idp-del
Usage: ipa [global-options] idp-del NAME [options]
Delete an Identity Provider reference.
Arguments
Argument Required Description
NAME yes Identity Provider reference name
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
idp-find
Usage: ipa [global-options] idp-find [CRITERIA] [options]
Search for Identity Provider references.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--name NAME Identity Provider reference name
--auth-uri AUTH-URI OAuth 2.0 authorization endpoint
--dev-auth-uri DEV-AUTH-URI Device authorization endpoint
--token-uri TOKEN-URI Token endpoint
--userinfo-uri USERINFO-URI User information endpoint
--keys-uri KEYS-URI JWKS endpoint
--issuer-url ISSUER-URL The Identity Provider OIDC URL
--scope SCOPE OAuth 2.0 scope. Multiple scopes separated by
space
--idp-user-id IDP-USER-ID Attribute for user identity in OAuth 2.0 userinfo
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“name”)
idp-mod
Usage: ipa [global-options] idp-mod NAME [options]
Modify an Identity Provider reference.
Arguments
Argument Required Description
NAME yes Identity Provider reference name
Options
Option Description
--auth-uri AUTH-URI OAuth 2.0 authorization endpoint
--dev-auth-uri DEV-AUTH-URI Device authorization endpoint
--token-uri TOKEN-URI Token endpoint
--userinfo-uri USERINFO-URI User information endpoint
--keys-uri KEYS-URI JWKS endpoint
--issuer-url ISSUER-URL The Identity Provider OIDC URL
--client-id CLIENT-ID OAuth 2.0 client identifier
--secret SECRET OAuth 2.0 client secret
--scope SCOPE OAuth 2.0 scope. Multiple scopes separated by
space
--idp-user-id IDP-USER-ID Attribute for user identity in OAuth 2.0 userinfo
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--rename RENAME Rename the Identity Provider reference object
idp-show
Usage: ipa [global-options] idp-show NAME [options]
Display information about an Identity Provider reference.
Arguments
Argument Required Description
NAME yes Identity Provider reference name
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.