Configuring deployment without Identity server

It is possible to run the DMS server without identity server. The DMS core server and the notification server will in this deployment directly communicate with the identity provider. Especially in a deployment in a cloud environment like Azure or AWS this is useful. This deployment scenario is configured via the appsettings.json. In appsettings.json, remove the whole IdentitfyServer section and add the OidcAuthentication section like this below.

"OidcAuthentication": {
  "Audience": "audience key from identity provider",
  "Authority": "test-authority",
  "AutoAuthorizeOnAuthentication": true,
  "ClaimToUserName": "ReplacementSearchString;ReplacementWithString",
  "ClaimType": "sub",
  "GroupsClaimType": "groups",
  "ClientId": "test-client-id",
  "PrincipalCaching": true,
  "RedirectUri": "redirecturl",
  "PostLogoutRedirectUri": "postlogout-redirecturl",
  "RequireGroupSearch": true,
  "RequireHttpsMetadata": "true",
  "Scope": "openid profile email offline_access groups"
},

In the table below there is an overview of the setting keys, their default values, and a short explanation of the setting key.

Setting key: (default) value Explanation
Audience Audience value for any received OIDC call.
Authority Authority url to make OIDC calls.
AutoAuthorizeOnAuthentication Enables or disables the authorization while auto-provisioning new external user.
ClaimToUserName Customized transformation from claim to username. It should be in format of -....;.... Value mentioned between '-' and ';' will be removed from claim and claim will be appended to value after ';'
ClaimType Claim type to request for user.
GroupsClaimType

The claim type that is used to get the groups of the current user, this also needs to be setup in the identity provider.

Once this is setup in the identity provider an admin can add groups to the database in the user management screen. These groups can then be selected in folder security for giving access to certain users based on the groups.

ClientId Unique client id of the external OIDC provider.
PrincipalCaching Caching credentials, can have big performance win when true.
RedirectUri OIDC sign-in redirect URI.
PostLogoutRedirectUr Redirect URI after the OIDC logout page.
RequireGroupSearch Enables or disables to search external user in group principal.
RequireHttpsMetadata If HTTPS is required for the metadata address or authority.
Scope OIDC scope. These represent high-level operations performed against the API endpoints. Applications request these scopes from the authorization server. The server access policy decides which scopes to grant and which ones to deny. Space separated.