Tenant configuration

Tenant properties

The following properties must be configured to connect the tenant with an external identity provider. The TenantId should be a unique identifier for the Unit4 customer organization, and the same value must be used across all services that the organization uses.

Parameter name Parameter type Description
TenantId string Unique identifier of the tenant (Unit4 customer organization). Required
TenantName string A short, friendly name for various user interfaces
Description string Description of the tenant (Unit4 customer organization).
CompanyName string Name of the organization that this tenant is representing (Users can search tenants by "company name" at partial login screen).
Domains List\<string> List of the domain names related to the organization that this tenant is representing (Users can search tenants by "domain names" at partial login screen).
UserId string * To be used internally for auditing *
UserName string * To be used internally for auditing *

Idps

A tenant must have at least one Identity Provider configured. If there are more than one and a client does not indicate (in acr_values) which of them should be used for authentication then an IdP selection screen will be presented.

Parameter name Parameter type Description
IdpName string Unique identifier of the IdP.
Description string Description of the IdP.
Authority string URI address of the IdP authority
Protocol string name of the protocol. Valid values: "openidconnect", "saml2", "ws-federation"
IdpRegId string The "client id" registered at the external IDP for the Unit4 Indentity Server
IdpSecret string This property is only used for the OpenId Connect protocol when getting a new refresh token from the external IdP. The "client secret" or "key" registered at the external IDP for the Unit4 Indentity Server
NameClaimType string The claim provided by the external Idp that should be mapped to the name claim returned by U4IDS.
Unit4IdClaimType List\<string> The claim provided by the external Idp that should map to the unit4_id
IncludeIdentityScopesInConsent bool Show identity scopes in consent screen. If the authority give consent this can be turned off. Default is true.
IsDefault bool a flag for backward compatibility when tenant has only one IdP
OpenIDConnectOptions object For the openidconnect protocol you can override the default authentication flow with the IdP.

OpenIDConnectOptions

Parameter name Parameter type Description
ResponseType string Allowed values are: code id_token, code id_token, code, id_token . Default value is code id_token
Scope string To override default scope you can set this. Default value is openid profile email offline_access
EndSessionEndpoint string To override default EndSessionEndpoint when IDP, such as Google, does not have any endpoint to end user session
AcrValues string Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request