Criipto Authentication

If you need to configure authentication via Criipto, follow the guidelines below.

Configure Authentication

  1. Log in to the Criipto dashboard.
  2. Create an application and domain on the Criipto dashboard as shown below:

Criipto dashboard

More information on this step can be found in the Criipto documentation portal at Criipto Documentation.

  1. Create a new authentication provider with the Criipto authentication provider type via the OpenIAM web console.

New authentication provider

Set the Criipto authentication domain field from step 2.

Configuring authprovider

  1. Set the checkbox and the Criipto authentication provider field on the used authentication provider page.

Setting Criipto field

  1. Use the correct authentication rules for the required URLs. You need to use the default Criipto authentication rule or any custom rule with the Criipto authentication provider. Also, you can set the authentication rule for the Content provider or the required URI pattern.

  2. Log in with Criipto from the login page.

Login with Criipto

It will redirect you to Criipto Login.

  1. After a successful login, you will be redirected to /selfservice or the predefined URL. This URL must be set on the Authentication provider page for the Criipto authentication type.

Setting the URL

You can use the following URL: to go to step 6.

Select a Criipto authentication provider by Criipto login GET request. If you have several Criipto authentication provider configurations, you can select it by a GET request. For example:

Criipto GET request

In this case, on Criipto authentication, the Criipto authentication provider with Provider ID = ff8081818a949be0018a94ae05570005 will be used.

If you need several different redirect URLs, you can create several Criipto authentication providers with equal domains, secrets, etc., but with different “Provider ID” and “Redirect URL after OpenIAM success log in”.

You will call GET request with the required authProviderId and get redirected to the required URL: From the screen above:

GET call:

Redirect URL:

  1. After the first login, you need to create a user in OpenIAM.

If a user doesn't exist in OpenIAM, you can create a user and log in. User data from Criipto:

User data saved in OpenIAM:

User data saved User data saved User data saved User data saved User data saved

  1. For customization of user data on JIT provision, you can use a Groovy script. This script can be set on the Authentication provider page.

Groovy script

A default Groovy script can set the user-type and rename required attributes:

Default Groovy Default Groovy


Results Results

Example Groovy script

// Groovy script code here
import org.openiam.idm.srvc.continfo.dto.Address;
import org.openiam.idm.srvc.continfo.dto.EmailAddress;
import org.openiam.idm.srvc.continfo.dto.Phone;
import org.openiam.idm.srvc.grp.dto.Group;
import org.openiam.idm.srvc.res.dto.Resource;
import org.openiam.idm.srvc.role.dto.Role;
import org.openiam.provision.dto.ProvisionUser;
import org.openiam.ui.groovy.criipto.AbstractCriiptoTransformationAuthenticator;
import org.openiam.idm.srvc.user.dto.UserAttribute;
import java.util.Calendar;
class TestCriiptoTransformationAuthenticator extends AbstractCriiptoTransformationAuthenticator {
int modifyObject(final ProvisionUser pUser) {"=========== Test criipto auth groovy ")
if (isUserTypeExist("INTERNAL_USER")) {
} else {
log.error("INTERNAL_USER type not exist");
Calendar calendar = Calendar.getInstance();
calendar.set(Calendar.JANUARY, 1);
calendar.set(Calendar.YEAR, 2023);
calendar.set(Calendar.MILLISECOND, 0);
calendar.set(Calendar.SECOND, 0);
calendar.set(Calendar.MINUTE, 0);
calendar.set(Calendar.HOUR, 0);
Role role = getRoleById("9");
if (role != null) {
addUserRoleByName(pUser, role.getName(), null, ["IS_CERTIFIED"].toSet(), calendar.getTime(), calendar.getTime(), "Role description");
Group group = getGroupById("SUPER_SEC_ADMIN_GRP");
if (group != null) {
addUserGroupByName(pUser, group.getName(), null, ["IS_CERTIFIED"].toSet(), calendar.getTime(), calendar.getTime(), "Group description");
Resource resource = getResourceById("0");
if (resource != null) {
addUserResourceByName(pUser, resource.getName(), ["IS_CERTIFIED"].toSet(), calendar.getTime(), calendar.getTime(), "Role description");
Organization org = getOrganizationById("100");
if (org != null) {
addUserOrganization(pUser, org.getName(), "ORGANIZATION", ["IS_CERTIFIED"].toSet(), calendar.getTime(), calendar.getTime());
if (isEmailTypeExist("PRIMARY_EMAIL")) {
final EmailAddress email = new EmailAddress();
addUserEmailAddress(pUser, email);
if (isPhoneTypeExist("OFFICE_PHONE")) {
final Phone phone = new Phone();
addUserPhone(pUser, phone);
if (isAddressTypeExist("OFFICE_ADDRESS")) {
final Address address = new Address();
address.setAddress1("Address 1");
addUserAddress(pUser, address);
UserAttribute attrVal = pUser.getAttribute("MitID_municipality");
if (attrVal && attrVal.getFirstValue()) {
addUserAttribute(pUser, "MUNICIPALITY_NAME", attrVal.getFirstValue());
attrVal = pUser.getAttribute("MitID_municipality_code");
if (attrVal && attrVal.getFirstValue()) {
addUserAttribute(pUser, "MUNICIPALITY_CODE", attrVal.getFirstValue());
return 0;