LDAP / OIDC

The LDAP / OIDC section gathers the external identity sources that accounts authenticate against. Both LDAP directory servers and user facing OIDC providers live here because both delegate authentication to a system outside the virtual site.

The page is organized into two tabs:

LDAP servers
OIDC providers

You can move between the tabs with the mouse, or with the keyboard arrow keys when the tab strip has focus (Home and End jump to the first and last tab).

Both LDAP and OIDC identity sources are license gated. When the current license does not include the relevant capability, the Add button is disabled and an inline notice explains why.

LDAP servers

LDAP servers list

This tab lists the directory servers used to authenticate LDAP users and groups. The table shows the following columns:

Name (the friendly name)
Servers (the configured server URLs)
Bind user
Domains

Each row offers actions to edit or delete the server. Use the Add server button above the table to create a new entry.

Adding or editing an LDAP server

LDAP server editor

Adding or editing a server opens a dialog with the following fields:

Friendly name: a label that identifies this server in the list. Required.
Server URLs: one URL per line. The first URL is the primary; the rest are backups. The supported schemes are ldap://, ldaps://, ldapi://, and cldap://. At least one URL is required.
Bind username: the account used to bind to the directory. Required.
Bind password: the password for the bind account, stored as an encrypted secret. On edit, an existing password is preserved unless you replace it.
Domains: one domain per line. The primary domain must be first.
Query template: optional. Leave it empty to use the default query template.

Testing the connection

The dialog includes a Test button that validates the current settings against the directory server before you save. The fields are checked first (friendly name, at least one server URL, and a bind username must be present); if they are valid, the server settings are sent to the directory for verification. A success toast confirms that the directory server accepted the settings.

Deleting a server

Deleting a server asks for confirmation, naming the server, before it is removed.

OIDC providers

OIDC providers list

This tab lists the external identity providers that end users can sign in with. The table shows the following columns:

Name (the display name)
Type (the provider kind, for example OIDC)
Issuer (the issuer URL)
Enabled (Enabled or Disabled)

Each row offers actions to test, edit, or delete the provider. Use the Add provider button above the table to create a new entry.

Adding or editing an OIDC provider

OIDC provider editor

Adding or editing a provider opens a dialog with the following fields:

Display name: a label that identifies the provider. Required.
Issuer URL: the OIDC issuer base URL, for example https://idp.example.com. Required.
Client ID: the OAuth client identifier issued by the provider. Required.
Client secret: the OAuth client secret, stored as an encrypted secret. It is required when creating a provider. On edit, the stored secret is preserved unless you replace it.
Scopes: space separated OAuth scopes, for example openid profile email.
Subject claim: the claim used as the stable subject, for example sub.
Username claim: the claim mapped to the username, for example preferred_username.
Email claim: the claim mapped to the email address, for example email.
Groups claim: the claim that carries group membership, for example groups.
Require verified email: only accept the identity when the email is marked verified by the provider.
Auto provision accounts: create a local account automatically the first time a recognized identity signs in.
Enabled: whether the provider is active. New providers default to enabled.
Allow insecure HTTP issuer: permit an issuer URL served over plain HTTP. Leave this off in production.

Testing the provider

Each saved provider has a Test action that performs OIDC discovery against the issuer. A success toast confirms that discovery succeeded for that provider.

Deleting a provider

Deleting a provider asks for confirmation, naming the provider, before it is removed.

First-run Setup Wizard

SuperAdmin UI

Virtual Sites

Admin UI

Storage

Access & Identity

Protocol Handlers

Automation

System

Server!-specific SyncJS

Helper functions

The "Session" object

The "User" object

The "VFS" object

The SyncJS language

SyncJS types

Local file-system functions

Web (HTTP/HTTPS) functions

SQL database functions

AMQP message queue protocol

Cloud and integration functions

Messaging functions

Process management

Encoding, hashing, and data functions

Image processing

Remote client objects

Security/encryption functions

Miscellaneous functions

More (cool) stuff

LDAP / OIDC ​

LDAP servers ​

Adding or editing an LDAP server ​

Testing the connection ​

Deleting a server ​

OIDC providers ​

Adding or editing an OIDC provider ​

Testing the provider ​

Deleting a provider ​