Configuring SSO OAuth settings - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Product name
BlueCat Gateway

Enabling OAuth in BlueCat Gateway allows the use of access tokens issued by the authorization server/IdP to access the Address Manager API. An access token represents the authorization of Gateway to access the Address Manager API. Once you enable OAuth in BlueCat Gateway, you must update workflows and endpoints to use OAuth for access to the Address Manager API. Automated scripts must also be updated to use OAuth.

Important: You must configure the OAuth Settings in Address Manager before configuring OAuth in Gateway. For more information, Enabling OAuth in Address Manager in the Address Manager Administration Guide.
  1. Open the OAuth section of the SSO Configuration window. (Click the Navigator button if necessary, then click Configurations > SSO Configuration.)

    The SSO Configuration page opens. If OAuth settings are not displayed, scroll down and click OAuth to expand it.

  2. Fill in the OAuth fields as needed for your authentication provider.

    For more details, see OAuth settings list below.

  3. When you're done, click Save.

    If you've configured settings for all of Gateway as an SSO service provider, for the IdP, and the OAuth settings (in the OAuth section (see Configuring SSO OAuth settings), you can now enable SSO for Gateway. For more details, see Enabling Gateway SSO.


    If you made changes to SSO settings with SSO already enabled, we strongly recommend that you retest your SSO connection right away using an authentication tool like Postman.

    You can do so by opening a new browser session and logging in to Gateway with the username and password of an SSO user.

    To cancel your changes, click Cancel.

SSO OAuth settings list

The OAuth section has the following settings.

Setting Description
Client ID The public identifier of the application.
Client secret The secret code known only to the application and the authorization server.

Authorization endpoint

The endpoint that interacts with the resource owner (the user) to obtain the authorization grant from the protected resource.
Enter the token endpoint Enter the endpoint used by the API client (BlueCat Gateway) to obtain an access token.
Resource The name of the protected resource.
Username Chain The username claim of the authorization server.
Authentication method

Select one of the following:

  • Select Local if the IdP does not use a UserInfo endpoint to validate a token.

  • Select Authorization Server if the token validation occurs in the authorization server.

Tip: ADFS uses local authentication and OneLogin uses the authorization server.

(Optional) A list of scopes to present to the authentication server. Separate multiple scopes with spaces.

Scopes are an optional mechanism in OAuth 2.0 that let applications specify a scope for an authorization request, so that the authenticator can limit access to that scope. Scopes allow authenticators to restrict different sets of features to different users.

Scopes consist of scope identifiers separated by spaces. The format of scope information is otherwise open-ended and depends on the authorization provider. Gateway passes on any value entered in the Scopes field unchanged.

Userinfo Endpoint

(Required if Authorization server is Authorization method) The userinfo endpoint retrieves information about the user. This includes the group membership information and user ID, which are required if token validation occurs in the authorization server.