Remote proxy authentication methods
The remote proxy supports two authentication methods:
Bearer authentication (OAuth 2.0)
Use for Advanced Identity Cloud tenant-to-tenant connections.
{
"enabled": true,
"authType": "bearer",
"instanceUrl": "https://<receiving-tenant-env-fqdn>/openidm/",
"clientId": "idmprovisioning",
"clientSecret": "&{esv.idmprovisioning.client.secret}", (1)
"scope": ["fr:idm:*"],
"tokenEndpoint": "https://<receiving-tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token",
"tokenEndpointAuthMethod": "client_secret_post",
"scopeDelimiter": " "
}
| 1 | Use an ESV secret for clientSecret instead of a plaintext value. |
| After creating the ESV, restart Advanced Identity Cloud services so the placeholder resolves. |
Required properties: authType, clientId, clientSecret, instanceUrl, tokenEndpoint, tokenEndpointAuthMethod, and scope.
Basic authentication
Use for connecting to self-managed PingIDM instances.
{
"enabled": true,
"authType": "basic",
"instanceUrl": "https://idm.example.com:8443/openidm/",
"userName": "openidm-admin",
"password": "openidm-admin"
}
Required properties: authType, userName, instanceUrl, and password.
Configuration properties reference
| Property | Required | Description |
|---|---|---|
|
No |
Enable or disable the proxy. Default is |
|
Yes |
Authentication method: |
|
Yes |
Receiving instance URL. Must end with a trailing slash ( |
|
Yes (bearer only) |
OAuth 2.0 scopes, for example |
|
No |
Scope delimiter. Default is a space. |
|
Yes (basic only) |
Username for basic auth. |
|
Yes (basic only) |
Password for basic auth. |
|
Yes (bearer only) |
OAuth 2.0 client ID. |
|
Yes (bearer only) |
OAuth 2.0 client secret. Use an ESV secret rather than a plaintext value. |
|
Yes (bearer only) |
OAuth 2.0 token endpoint URL. |
|
Yes (bearer only) |
Must be |
For any request forwarded to the receiving tenant or instance that includes an X-Requested-With header, the remote proxy sets the header value to RemoteIDMProxy.
|