OIDC Integration¶
Integration with OIDC providers allows for managing users and roles/divisions from an OIDC provider such as Okta or another standards-compliant OIDC provider.
To change an environment to OIDC authentication, contact your RCX support team.
Note
In any RCX environment there can only be one way to authenticate users: native or OIDC. Both methods can't be used simultaneously.
Group to Role Mapping¶
The way RCX integrates with OIDC providers is through the use of a groups or
equivalent claim available in either the id_token or access_token returned by
the provider upon successful user authentication.
Using the groups claim, RCX can map groups in the OIDC provider to RCX roles
to which a user will have access, such that the role names are the same as the
OIDC group names passed in the group claim.
Division Mapping¶
Assigning divisions to RCX is done via OIDC similarly to how roles are assigned.
The only difference is that RCX and the OIDC provider need to agree on a group
prefix (such as RCX_DIVISION_*) which governs which entries in the groups
claim map to Divisions versus Roles. For example:
| OIDC Group | Division |
|---|---|
| RCX_DIVISION_Admin | Admin |
| RCX_DIVISION_Retail | Retail |
| RCX_DIVISION_Hotel | Hotel |
Autoprovisioning of Users¶
The RCX OIDC integration autoprovisions users for which valid OIDC tokens (verified through the OIDC public key) are issued the first time each user logs on successfully via the OIDC provider. This means that no users need to be created within RCX, thus allowing for centralized user management via the OIDC provider.
See also: