Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
GlobalCube
/
analytics
3
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Gałąź: master
Gałęzie Tagi
analytics
/
templates
/
AAA
/
OIDC_Generic.xml

OIDC_Generic.xml 20 KB
Bezpośredni odnośnik Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329 
  1. <!-- OIDC-Generic: Defines a group of properties that allows the product to use an OpenID 
    2. 

  2.              Connect identity provider for user authentication.  -->
    3. 

  3. <!-- Set the values for this group of properties to allow the product access to your existing 
    4. 

  4.              OpenID connect identity provider. This external resource must already exist in your 
    5. 

  5.              environment and be configured to use for authentication.  -->
    6. 

  6. <crn:instance name="MANDATORY" class="OIDC_Generic">
    7. 

  7. 	<!-- identityProviderType: Specifies the implementation of an OpenID Connect identity 
    8. 

  8.                provider.  -->
    9. 

  9. 	<crn:parameter name="identityProviderType">
    10. 

  10. 		<crn:value xsi:type="xsd:string">Generic</crn:value>
    11. 

  11. 	</crn:parameter>
    12. 

  12. 	<!-- id: Specifies a unique identifier for the authentication namespace.  -->
    13. 

  13. 	<!-- Use the namespace identifier to distinguish between multiple namespaces. Each namespace 
    14. 

  14.                must have a unique identifier. When you select a namespace to use for authentication 
    15. 

  15.                in the run-time environment, the identifier is used by the IBM Cognos components. 
    16. 

  16.                Changing the namespace ID after the service has been started may invalidate the object 
    17. 

  17.                security policies and the Cognos group and role memberships. The use of the colon 
    18. 

  18.                in the Namespace ID is not supported.  -->
    19. 

  19. 	<crn:parameter name="id">
    20. 

  20. 		<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    21. 

  21. 	</crn:parameter>
    22. 

  22. 	<!-- selectableForAuth: Specifies whether the namespace is selectable for authentication.  -->
    23. 

  23. 	<!-- If this property is set to true, the namespace will be available for authentication 
    24. 

  24.                in the logon page namespace selection prompt. Set this value to false if the namespace 
    25. 

  25.                should not be available for selection on the logon page.  -->
    26. 

  26. 	<crn:parameter name="selectableForAuth">
    27. 

  27. 		<crn:value xsi:type="xsd:boolean">true</crn:value>
    28. 

  28. 	</crn:parameter>
    29. 

  29. 	<!-- advancedProperties: Specifies a set of advanced properties.  -->
    30. 

  30. 	<!-- The user needs to provide the name and the value for each advanced property.  -->
    31. 

  31. 	<crn:parameter name="advancedProperties" opaque="true">
    32. 

  32. 		<crn:value xsi:type="cfg:array"/>
    33. 

  33. 	</crn:parameter>
    34. 

  34. 	<!-- useDiscoveryEndpoint: Specifies whether the Identity Provider returns a discovery 
    35. 

  35.                document.  -->
    36. 

  36. 	<!-- Set this value to true if the Identity Provider supports a discovery document endpoint 
    37. 

  37.                and fill out the discovery endpoint configuration group. Set this value to false 
    38. 

  38.                if the Identity Provider does not support a discovery document endpoint and fill 
    39. 

  39.                out the non-discovery endpoint configuration group.  -->
    40. 

  40. 	<crn:parameter name="useDiscoveryEndpoint">
    41. 

  41. 		<crn:value xsi:type="xsd:boolean">true</crn:value>
    42. 

  42. 	</crn:parameter>
    43. 

  43. 	<!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint  -->
    44. 

  44. 	<!-- The discovery endpoint is used to retrieve the OpenID Connect configuration that 
    45. 

  45.                includes the authorization endpoint, token endpoint, jwks endpoint, and issuer.  -->
    46. 

  46. 	<crn:parameter name="oidcDiscEndpoint">
    47. 

  47. 		<crn:value xsi:type="cfg:anyPathURI"/>
    48. 

  48. 	</crn:parameter>
    49. 

  49. 	<!-- issuer: Specifies the OpenID claim issuer.  -->
    50. 

  50. 	<!-- A string that represents the identity provider that issued the claims in the ID token. 
    51. 

  51.                This value must match the value of the 'iss' entry in the ID token JSON document.  -->
    52. 

  52. 	<crn:parameter name="issuer">
    53. 

  53. 		<crn:value xsi:type="xsd:string"/>
    54. 

  54. 	</crn:parameter>
    55. 

  55. 	<!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the following 
    56. 

  56.                syntax: https://<hostname:port>/<path>  -->
    57. 

  57. 	<!-- The token endpoint is used to retrieve the identity token after a successful authentication 
    58. 

  58.                to the OpenID Connect identity provider.  -->
    59. 

  59. 	<crn:parameter name="oidcTokenEndpoint">
    60. 

  60. 		<crn:value xsi:type="cfg:anyPathURI"/>
    61. 

  61. 	</crn:parameter>
    62. 

  62. 	<!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using the 
    63. 

  63.                following syntax: https://<hostname:port>/<path>  -->
    64. 

  64. 	<!-- The authorization endpoint is a URL that your OpenID Connect identity provider uses 
    65. 

  65.                for authentication. In most cases, the URL should use the https scheme. The authorization 
    66. 

  66.                endpoint is invoked when users authenticate to the OpenID Connect identity provider.  -->
    67. 

  67. 	<crn:parameter name="oidcAuthEndpoint">
    68. 

  68. 		<crn:value xsi:type="cfg:anyPathURI"/>
    69. 

  69. 	</crn:parameter>
    70. 

  70. 	<!-- clientId: Specifies the OpenID Connect client identifier  -->
    71. 

  71. 	<!-- The client identity that is assigned to the application by the OpenID Connect identity 
    72. 

  72.                provider.  -->
    73. 

  73. 	<crn:parameter name="clientId">
    74. 

  74. 		<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    75. 

  75. 	</crn:parameter>
    76. 

  76. 	<!-- returnUrl: Return URL that is configured with the OpenID Connect identity provider.  -->
    77. 

  77. 	<!-- The return URL is invoked by the OpenID Connect identity provider after successfully 
    78. 

  78.                authenticating a user. The URL format is https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp 
    79. 

  79.                or https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL completes 
    80. 

  80.                Cognos Analytics authentication using the OpenID Connect identity provider.  -->
    81. 

  81. 	<crn:parameter name="returnUrl">
    82. 

  82. 		<crn:value xsi:type="cfg:anyPathURI">MANDATORY</crn:value>
    83. 

  83. 	</crn:parameter>
    84. 

  84. 	<!-- authScope: Specifies the scope parameter values provided to the authorize endpoint.  -->
    85. 

  85. 	<!-- The scope parameter values that will be added to the authorize endpoint URL for authentication. 
    86. 

  86.                At a minimum, 'openid' must be included in the list of possible scope values.  -->
    87. 

  87. 	<crn:parameter name="authScope">
    88. 

  88. 		<crn:value xsi:type="xsd:string">openid</crn:value>
    89. 

  89. 	</crn:parameter>
    90. 

  90. 	<!-- accountClaims: Specifies if the id_token contains all of the account claims.  -->
    91. 

  91. 	<!-- Set this value to token if the id_token contains all of the user claims. Set this 
    92. 

  92.                value to userinfo if an additional call should be made to the userinfo endpoint in 
    93. 

  93.                order to retrieve any user claims that are not part of the id_token.  -->
    94. 

  94. 	<crn:parameter name="accountClaims">
    95. 

  95. 		<crn:value xsi:type="xsd:string">token</crn:value>
    96. 

  96. 	</crn:parameter>
    97. 

  97. 	<!-- tokenEndpointAuth: Specifies how to authenticate to the Identity Provider when invoking 
    98. 

  98.                the token endpoint.  -->
    99. 

  99. 	<!-- Use client secret post if the client id and client secret should be transmitted in 
    100. 

  100.                the request body. Use client secret basic if the client id and client secret should 
    101. 

  101.                be transmitted in the HTTP header. Use private key JWT if the client id and a JWT 
    102. 

  102.                client_assertion that is signed with a private key should be transmitted in the request 
    103. 

  103.                body.  -->
    104. 

  104. 	<crn:parameter name="tokenEndpointAuth">
    105. 

  105. 		<crn:value xsi:type="xsd:string">client_secret_post</crn:value>
    106. 

  106. 	</crn:parameter>
    107. 

  107. 	<!-- clientSecret: Specifies the client secret that is assigned to the application by 
    108. 

  108.                the OpenID Connect identity provider.  -->
    109. 

  109. 	<!-- The client secret that is assigned to the application by the OpenID Connect identity 
    110. 

  110.                provider.  -->
    111. 

  111. 	<crn:parameter name="clientSecret">
    112. 

  112. 		<crn:value xsi:type="xsd:string" encrypted="true"></crn:value>
    113. 

  113. 	</crn:parameter>
    114. 

  114. 	<!-- privateKeyFile: Specifies the file that contains the private signing key.  -->
    115. 

  115. 	<!-- The file that contains the private signing key in PKCS8 format. It must contain a 
    116. 

  116.                single private RSA key of length 2048 bits.  -->
    117. 

  117. 	<crn:parameter name="privateKeyFile">
    118. 

  118. 		<crn:value xsi:type="cfg:filePath"/>
    119. 

  119. 	</crn:parameter>
    120. 

  120. 	<!-- privateKeyPassword: Specifies the private key password used to protect the private 
    121. 

  121.                signing key.  -->
    122. 

  122. 	<!-- This password is required to secure the private key. It provides an extra layer of 
    123. 

  123.                security by encrypted the private key file using a password.  -->
    124. 

  124. 	<crn:parameter name="privateKeyPassword">
    125. 

  125. 		<crn:value xsi:type="xsd:string" encrypted="true"></crn:value>
    126. 

  126. 	</crn:parameter>
    127. 

  127. 	<!-- privateKeyId: Specifies the key identifier that should be placed in the JWT header.  -->
    128. 

  128. 	<!-- The key identifier that will be set in the JWT 'kid' header. Use this configuration 
    129. 

  129.                item if your identity provider requires a 'kid'. Leave this value blank if your identity 
    130. 

  130.                provider does not require a 'kid'.  -->
    131. 

  131. 	<crn:parameter name="privateKeyId">
    132. 

  132. 		<crn:value xsi:type="xsd:string"/>
    133. 

  133. 	</crn:parameter>
    134. 

  134. 	<!-- keyLocation: Specifies the location of the signing public key or certificate.  -->
    135. 

  135. 	<!-- Set this value to 'File' if the signing certificate is manually downloaded from the 
    136. 

  136.                Identity Provider as a certificate and placed on the file system. Set this value 
    137. 

  137.                to 'JWKS endpoint' if the Identity Provider supports an endpoint for retrieving id_token 
    138. 

  138.                signature keys. Note: if the Identity Provider does not support a discovery document 
    139. 

  139.                but provides public keys via a JWKS endpoint, then the JWKS Endpoint must contain 
    140. 

  140.                a valid URI for retrieving the public keys.  -->
    141. 

  141. 	<crn:parameter name="keyLocation">
    142. 

  142. 		<crn:value xsi:type="xsd:string">jwks_uri</crn:value>
    143. 

  143. 	</crn:parameter>
    144. 

  144. 	<!-- idpCertificateFile: Specifies the location of the certificate that is used by the 
    145. 

  145.                OpenID Connect identity provider to sign the identity token.  -->
    146. 

  146. 	<!-- A path to the file that contains the certificate used by the identity provider to 
    147. 

  147.                sign the JSON Web Token. The path must include the certificate file name and be accessible 
    148. 

  148.                to the running instance of Cognos Analytics. The certificate must be in a PEM format, 
    149. 

  149.                include only the public key certificate, and include the begin and end certificate 
    150. 

  150.                lines. The certificate file cannot be placed in the configuration/certs directory.  -->
    151. 

  151. 	<crn:parameter name="idpCertificateFile">
    152. 

  152. 		<crn:value xsi:type="cfg:filePath"/>
    153. 

  153. 	</crn:parameter>
    154. 

  154. 	<!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing keys.  -->
    155. 

  155. 	<!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to provide 
    156. 

  156.                signing key data. In most cases, the URL should use the https scheme. The JWKS endpoint 
    157. 

  157.                is invoked when validating an id_token returned from the identity provider.  -->
    158. 

  158. 	<crn:parameter name="jwksEndpoint">
    159. 

  159. 		<crn:value xsi:type="cfg:anyPathURI"/>
    160. 

  160. 	</crn:parameter>
    161. 

  161. 	<!-- pgStrategy: Specifies how to get the user's identity when using the password grant 
    162. 

  162.                flow.  -->
    163. 

  163. 	<!-- Set this value to 'ID token' if all user claims are returned in the id_token. Set 
    164. 

  164.                this value to 'ID token and userinfo endpoint' if an id_token is returned from the 
    165. 

  165.                password grant flow but does not contain all of the user claims. Set this value to 
    166. 

  166.                'Userinfo endpoint' if the id_token does not contain any user claims and if the user 
    167. 

  167.                claims should be retrieved from the userinfo endpoint. Set this value to 'Unsupported' 
    168. 

  168.                if the Identity Provider does not support the password grant flow.  -->
    169. 

  169. 	<crn:parameter name="pgStrategy">
    170. 

  170. 		<crn:value xsi:type="xsd:string">idToken</crn:value>
    171. 

  171. 	</crn:parameter>
    172. 

  172. 	<!-- pgInclScope: Specifies that the scope should be included when using the password 
    173. 

  173.                grant flow.  -->
    174. 

  174. 	<!-- Set this value to true to indicate that the scope parameter should be included as 
    175. 

  175.                part of the query string for the password grant flow. Set this value to false to 
    176. 

  176.                indicate that the scope should be omitted from the query string for the password 
    177. 

  177.                grant flow.  -->
    178. 

  178. 	<crn:parameter name="pgInclScope">
    179. 

  179. 		<crn:value xsi:type="xsd:boolean">true</crn:value>
    180. 

  180. 	</crn:parameter>
    181. 

  181. 	<!-- pgAddParams: Specifies any additional parameters that are required for the password 
    182. 

  182.                grant flow.  -->
    183. 

  183. 	<!-- Set this value to reflect any additional parameters that should be included as part 
    184. 

  184.                of the query string for the password grant flow. The parameter must begin with an 
    185. 

  185.                '&' and must be urlencoded so that it can be safely inserted into the query string. 
    186. 

  186.                For example, if the 'resource=https://ca.ibm.com' parameter is required in the query 
    187. 

  187.                string, it must be entered as: '&resource=https%3A%2F%2Fca.ibm.com'.  -->
    188. 

  188. 	<crn:parameter name="pgAddParams">
    189. 

  189. 		<crn:value xsi:type="xsd:string"/>
    190. 

  190. 	</crn:parameter>
    191. 

  191. 	<!-- tcStrategy: Specifies the information that should be stored for scheduling jobs.  -->
    192. 

  192. 	<!-- Set this value to 'Credentials' if the Identity Provider supports the password grant 
    193. 

  193.                and returns a valid id_token that contains all of the user claims in the response. 
    194. 

  194.                Set this value to 'Credentials and ID token' if the Identity Provider supports the 
    195. 

  195.                password grant flow but does not return a valid id_token in the response or if the 
    196. 

  196.                id_token does not contain all of the user claims. Set this value to 'Refresh token' 
    197. 

  197.                if the Identity Provider supports the refresh token flow, provides a non-expiring 
    198. 

  198.                refresh token, and returns a valid id_token that contains all of the user claims 
    199. 

  199.                from the refresh token flow. Set this value to 'ID token only' if the Identity Provider 
    200. 

  200.                does not support the password grant nor refresh token flows (Note: when set to 'ID 
    201. 

  201.                token only', it will not be possible to verify that the user is still exists and 
    202. 

  202.                is enabled in the Identity Provider).  -->
    203. 

  203. 	<crn:parameter name="tcStrategy">
    204. 

  204. 		<crn:value xsi:type="xsd:string">credentials</crn:value>
    205. 

  205. 	</crn:parameter>
    206. 

  206. 	<!-- tcAccountClaims: Specifies if the id_token contains all of the account claims.  -->
    207. 

  207. 	<!-- Set this value to 'ID token' if the id_token returned from the token endpoint contains 
    208. 

  208.                all of the user claims. Set this value to 'Userinfo endpoint' if an additional call 
    209. 

  209.                to the userinfo endpoint is required in order to obtain all of the user claims.  -->
    210. 

  210. 	<crn:parameter name="tcAccountClaims">
    211. 

  211. 		<crn:value xsi:type="xsd:string">id_token</crn:value>
    212. 

  212. 	</crn:parameter>
    213. 

  213. 	<!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs.  -->
    214. 

  214. 	<!-- Specifying a value for this parameter enables multitenancy. The tenant ID for a user 
    215. 

  215.                can be determined using a pattern or a tenant provider class. The pattern is a AAA 
    216. 

  216.                service search path to a property which defines a tenant ID. The search path must 
    217. 

  217.                be relative to a user account. For example: '~/ancestors[2]/defaultName'. A tenant 
    218. 

  218.                provider class is Java class which implements the the ITenantProvider interface. 
    219. 

  219.                For more details please consult the installation and configuration guide.  -->
    220. 

  220. 	<crn:parameter name="tenantIdMapping" opaque="true">
    221. 

  221.         <crn:value xsi:type="cfg:tenancyInfo">
    222. 

  222.           <crn:item name="pattern" xsi:type="xsd:string"></crn:item>
    223. 

  223.         </crn:value>
    224. 

  224.       </crn:parameter>
    225. 

  225. 	<!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined for 
    226. 

  226.                a user.  -->
    227. 

  227. 	<!-- This parameter is used when multitenancy is enabled. The tenant bounding set for 
    228. 

  228.                a user can be determined using a pattern or a tenant bounding set provider class. 
    229. 

  229.                The pattern is a AAA service search path to a property which defines a tenant bounding 
    230. 

  230.                set. The search path must be relative to a user account. For example: '˜/parameters/boundingSet'. 
    231. 

  231.                A tenant bounding set provider class is Java class which implements the the IBoundingSetProvider 
    232. 

  232.                interface. For more details please consult the installation and configuration guide.  -->
    233. 

  233. 	<crn:parameter name="tenantBoundingSetMapping" opaque="true">
    234. 

  234. 		<crn:value xsi:type="cfg:tenancyInfo">
    235. 

  235. 			<crn:item name="pattern" xsi:type="xsd:string"></crn:item>
    236. 

  236. 		</crn:value>
    237. 

  237. 	</crn:parameter>
    238. 

  238. 	<!-- accountCamidProperty: Specifies the value used to uniquely identify account objects.  -->
    239. 

  239. 	<!-- Specify either an existing Content Manager account object model property (e.g., email, 
    240. 

  240.                username, defaultName, etc) or the name of a configured custom property. A claim 
    241. 

  241.                must be returned for all accounts from the Identity Provider for either the Content 
    242. 

  242.                Manager account object model property or the configured custom property. The value 
    243. 

  243.                selected must be unique across all account objects. The value selected should be 
    244. 

  244.                constant over time with a low probability of needing to be changed. NOTE: this value 
    245. 

  245.                should not be changed after initial namespace configuration.  -->
    246. 

  246. 	<crn:parameter name="accountCamidProperty">
    247. 

  247. 		<crn:value xsi:type="xsd:string">email</crn:value>
    248. 

  248. 	</crn:parameter>
    249. 

  249. 	<!-- acEncoding: Specifies if the claims in the id_token are URL encoded.  -->
    250. 

  250. 	<!-- Set this value to URL encoded if the claims in the id_token are URL encoded. Set 
    251. 

  251.                this value to Not encoded if the claims in the id_token are not encoded.  -->
    252. 

  252. 	<crn:parameter name="acEncoding">
    253. 

  253. 		<crn:value xsi:type="xsd:string"/>
    254. 

  254. 	</crn:parameter>
    255. 

  255. 	<!-- acBusinessPhone: Specifies the OIDC claim used for the "businessPhone" property for 
    256. 

  256.                an account.  -->
    257. 

  257. 	<crn:parameter name="acBusinessPhone">
    258. 

  258. 		<crn:value xsi:type="xsd:string"/>
    259. 

  259. 	</crn:parameter>
    260. 

  260. 	<!-- acContentLocale: Specifies the OIDC claim used for the "contentLocale" property for 
    261. 

  261.                an account.  -->
    262. 

  262. 	<crn:parameter name="acContentLocale">
    263. 

  263. 		<crn:value xsi:type="xsd:string"/>
    264. 

  264. 	</crn:parameter>
    265. 

  265. 	<!-- acDescription: Specifies the OIDC claim used for the "description" property for an 
    266. 

  266.                account.  -->
    267. 

  267. 	<crn:parameter name="acDescription">
    268. 

  268. 		<crn:value xsi:type="xsd:string"/>
    269. 

  269. 	</crn:parameter>
    270. 

  270. 	<!-- acEmail: Specifies the OIDC claim used for the "email" property for an account.  -->
    271. 

  271. 	<crn:parameter name="acEmail">
    272. 

  272. 		<crn:value xsi:type="xsd:string">email</crn:value>
    273. 

  273. 	</crn:parameter>
    274. 

  274. 	<!-- acFaxPhone: Specifies the OIDC claim used for the "faxPhone" property for an account.  -->
    275. 

  275. 	<crn:parameter name="acFaxPhone">
    276. 

  276. 		<crn:value xsi:type="xsd:string"/>
    277. 

  277. 	</crn:parameter>
    278. 

  278. 	<!-- acGivenName: Specifies the OIDC claim used for the "givenName" property for an account.  -->
    279. 

  279. 	<crn:parameter name="acGivenName">
    280. 

  280. 		<crn:value xsi:type="xsd:string"/>
    281. 

  281. 	</crn:parameter>
    282. 

  282. 	<!-- acHomePhone: Specifies the OIDC claim used for the "homePhone" property for an account.  -->
    283. 

  283. 	<crn:parameter name="acHomePhone">
    284. 

  284. 		<crn:value xsi:type="xsd:string"/>
    285. 

  285. 	</crn:parameter>
    286. 

  286. 	<!-- acMemberOf: Specifies the OIDC claim used for the "memberOf" property for an account.  -->
    287. 

  287. 	<crn:parameter name="acMemberOf">
    288. 

  288. 		<crn:value xsi:type="xsd:string"/>
    289. 

  289. 	</crn:parameter>
    290. 

  290. 	<!-- acMobilePhone: Specifies the OIDC claim used for the "mobilePhone" property for an 
    291. 

  291.                account.  -->
    292. 

  292. 	<crn:parameter name="acMobilePhone">
    293. 

  293. 		<crn:value xsi:type="xsd:string"/>
    294. 

  294. 	</crn:parameter>
    295. 

  295. 	<!-- acName: Specifies the OIDC claim used for the "name" property for an account.  -->
    296. 

  296. 	<crn:parameter name="acName">
    297. 

  297. 		<crn:value xsi:type="xsd:string"/>
    298. 

  298. 	</crn:parameter>
    299. 

  299. 	<!-- acPagerPhone: Specifies the OIDC claim used for the "pagerPhone" property for an 
    300. 

  300.                account.  -->
    301. 

  301. 	<crn:parameter name="acPagerPhone">
    302. 

  302. 		<crn:value xsi:type="xsd:string"/>
    303. 

  303. 	</crn:parameter>
    304. 

  304. 	<!-- acPostalAddr: Specifies the OIDC claim used for the "postalAddress" property for 
    305. 

  305.                an account.  -->
    306. 

  306. 	<crn:parameter name="acPostalAddr">
    307. 

  307. 		<crn:value xsi:type="xsd:string"/>
    308. 

  308. 	</crn:parameter>
    309. 

  309. 	<!-- acProductLocale: Specifies the OIDC claim used for the "productLocale" property for 
    310. 

  310.                an account.  -->
    311. 

  311. 	<crn:parameter name="acProductLocale">
    312. 

  312. 		<crn:value xsi:type="xsd:string"/>
    313. 

  313. 	</crn:parameter>
    314. 

  314. 	<!-- acSurname: Specifies the OIDC claim used for the "surname" property for an account.  -->
    315. 

  315. 	<crn:parameter name="acSurname">
    316. 

  316. 		<crn:value xsi:type="xsd:string"/>
    317. 

  317. 	</crn:parameter>
    318. 

  318. 	<!-- acUsername: Specifies the OIDC claim used for the "userName" property for an account.  -->
    319. 

  319. 	<crn:parameter name="acUsername">
    320. 

  320. 		<crn:value xsi:type="xsd:string"/>
    321. 

  321. 	</crn:parameter>
    322. 

  322. 	<!-- customProperties: Specifies a set of custom properties.  -->
    323. 

  323. 	<!-- Use this set of custom properties to define additional account information. The "name" 
    324. 

  324.                field corresponds to the property name set in the account while the "value" corresponds 
    325. 

  325.                to the claim name in the id_token.  -->
    326. 

  326. 	<crn:parameter name="customProperties" opaque="true">
    327. 

  327. 		<crn:value xsi:type="cfg:array"/>
    328. 

  328. 	</crn:parameter>
    329. 

  329. </crn:instance>
    330.