Problem:

OpenID Connect SSO Integration encountered "bad input: failed to create OpenID Provider" error.

2022-02-20 00:07:45.368              WARN   bad input: failed to create OpenID Provider
2022-02-20 00:07:45.368              DEBUG  POST /api/v2/oidc/test [400 Bad Request]: code=400, message=bad input: failed to create OpenID Provider



Solution:

Add a OpenID Connect configuration to ADFS
1.       Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2.       Select the "Application Groups" folder item in the left sidebar.
3.       Click on "Add Application Group..." in the sidebar to the right.
4.       Give the application group a name, for example "OpenID Connect"
5.       Select the "Server application accessing a web API" list item and click next.  This is Key earlier I was using only server application , it has to be server application accessing web api
6.       Copy and paste the Client Identifier to a text file for later use.
7.       Enter the your authentication "Redirect URI" as provided by aqua UI and Click next.
8.       Tick the "Generate a shared secret" box. Copy and paste the Secret to a text for use with your application. Click next.
9.       Paste and add the Client Identifier (from step 6) as the "Identifier". Click next.
10.   Select the access control policy you'd like to use and click next.
11.   Make sure the box next to "openid"  ,”profile” and “allatclaims” is ticked.  check only 3 box , else I have seen groups/roles being ignored
12.   Finish the wizard.


Configure OpenID Connect to provide user groups as claims
1.       Open the "AD FS Management" tool located under the "Tools" menu at the top right of the Server Manager.
2.       Select the "Application Groups" folder item in the left sidebar.
3.       Double click on the group added earlier, then double click on the "Web API" application.
4.       Select the tab named "Issuance Transform Rules".
5.       Click the "Add Rule..." button at the bottom.
6.       Select "Send LDAP Attributes as Claims" and click next.
7.       Give the rule a name, for example "groups".
8.       Select "Active Directory" as the "Attribute Store".
9.       In the table below, select "Token-Groups Unqualified Names" in the first column and type "groups" into the second column.
10.   Finish the wizard.


Now in the Aqua UI 


Key Cloak

Customers who use Key Cloak would need to include the /realms/<realm name> in the IDP Issuer URL:

https://{keycloakhost}:{keycloakport}/realms/{realm}

Example:

"https://localhost/auth/realms/demo"