OpenID OpenFlow


Our org has moved away from ADFS to OpenID and I m looking for details on configuring Open ID specifically what values goes in these different fields.

They are metadata url, introspection, inspection clientid, introspection secret, consumer key and consumer secret. Would really appreciate if anyone can point to documentation or videos or how to.

Thanks for your help.

please don’t ask the same question multiple places.

You need to get the .well-known/openid-configuration url for your openid connect server, and then you insert that into metadataurl

if it’s a “real” openid connect server, you will only need clientid, if it’s oauth disguised as openid you also need to add a secret

introspection you can ignore. That is used when you want openflow to accept tokens issued directly to clients by a different IDP.

Thank you Allan for getting back.

I added these configurations however I m getting this error. Kindly find screenshots attached.

Your help is greatly appreciated.

you cannot leave out key

Thanks again for getting back. Is the secret ID or client id the key. I used both of them and still got the cannot get error.

  • Open
  • Go to Microsoft Entra ID ( that name is so stupid, what was wrong with azure active directory ?? … oh well )
  • Expand manage and click “App registration” … this is where you should have created a “provider” that you can use for signing into openflow
  • Copy the Application (client) ID from the app you created
  • Click the application to open it.
  • If you don’t know what endpoint to use, click
    This will look different depending on what you allowed ( only your tenant, all tenants or all teants AND all microsoft accounts )
  • Click Certificates & secrets ( looks like you did that in the last screenshot )
  • Under client secrets click “New client secret” and once done, copy the Value field. If you forgot to do this, you cannot get it again, and will need to create a new one

in openflow, under providers, add/edit a provider

  • metadataurl: insert endpoint you copied from azure portal
  • consumerkey: insert Application (client) ID
  • consumersecret: insert Value from secret you created

Thanks a million for getting back Allan

I followed your steps word to word like a bible and still got the cannot get error

Delete the provider in openflow
Add it again and this time use a simpler id. Like office365 … all lowercase and no special chatecters

Sorry to be a bug, gave the ID as office365 and got the same error
openflow error3

why does it say you have a certificate error ?
you cannot use lets encrypt with since that is domain i own.
If you want to use SSL you need to have an public IP for the server and a valid domain name pointing to that IP
please use the normal docker-compose when testing with localhost.

the ssl part is not the problem ( but it will be once you hit office 365, then it will only work if you have a valid certificate or is using localhost without SSL )
but i’m wondering how you even ended up with using SSL … did you change something ? is this my standard letsencrypt docker compose or have you changed anything in this setup ? a different reverse proxy, updated you hosts file etc ?

Good Morning Allan,

I used the letscncrypt yaml and did not change any config. It is just that in my local host file I had given the entry as

xx.xx.xx.xx which I have changed now.

I have requested for a public ip and domain name. I would keep you posted about my progress shortly.

Again, thank you for your help.

you got it backwards …

  1. you should never need to change your local host file to make something wok in docker. So why did you need to add ?
  2. in your screenshots you where accessing the setup using https … Why ?
    either you use normal-up and then you should not be using ssl ( and by default you then access it using )
    or you used letsencrypt-up and then you MUST follow the guide on how to setup dns. this will never work with

Thanks Allan.

I deleted the installation of normal and created a dns entry called

I have not started any new installation but wanted to run by you before I start any installation.

To give you a little more information, the machine that we are trying to install is an ubuntu box sitting in a corporate network whitelisted to docker hub and MS websites . We would like this to run openflow with https and set up sso via openid.

thanks for your help.

That will not work, if you are going to be using agents, since they need access to package repositories.

The only way to get ssl on a website that does not have a public IP is to use a self signed/self bought certificate or DNS01 challenges. There is an example in the docker repository, but i will not support that over the forum.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.