Versions Compared

Old Version 1

changes.mady.by.user ubisebastian

Saved on

compared with

New Version 2

changes.mady.by.user ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Note

Unlike other authentication methods, it's not possible to configure OpenID Connect authentication method completely with SSO Management UI, but SSO Management API is required. All the steps here are done using SSO Management API.


Reference of OAuth 2.0 and OpenID Connect 1.0 client implementation in SSO Server authentication method OpenIDConnectMethod.

Table of Contents
maxLevel1

Registration

Process

  1. Create OpenIDConnectMethod authentication method in SSO Server 
    • PUT /sso-api/method/oidc.method.1
  2. Get provider metadata from your OpenID Connect provider
    • GET issuer/.well-known/opened-configuration
    • If provider metadata is not available then need to manually construct provider metadata with required parameters
  3. Register provider metadata with SSO Server
    • PUT /sso-api/method/oidc.method.1/$attribute/metadata
  4. Read jwks_uri parameter from provider metadata, and get provider JSON Web Keys 
    • GET jwks_uri
  5. Register provider keys with SSO Server
    • PUT /sso-api/method/oidc.method.1/$attribute/jwks
  6. Get registration request from SSO Server
    • GET /sso-api/method/oidc.method.1/$attribute/registration
    • If provider does not support registration protocol then this step is optional
  7. Send registration request to OpenID Connect provider, and receive registration response
    • If provider does not support registration protocol then need other method to register SSO Server as client, and receive client_id and client_secret
  8. Register registration response with SSO Server
    • PUT /sso-api/method/oidc.method.1/$attribute/registration
    • If provider does not support registration protocol then need to manually construct registration response with required parameters

...

NameDescription

OAuth 2.0 parameters

response_type"code"
redirect_uri

"https://sso.example.com/uas/return/oidc.method.1/redirect"

This value must be registered with OpenID Provider

scope

Value of registration parameter "scope"

"openid" if registration parameter is not defined

stateRandom value
client_id

Value of registration parameter "client_id"


OpenID Connect parameters

nonceRandom value
prompt

"login" if force-authn request is enabled

"none" if is-passive request is enabled

max_age"0" if force-authn request is enabled
ui_locales

SSO Server user interface locale

Value of registration parameter "default_ui_locales"

login_hintPass-thru value from authorization request
acr_values

Value of method configuration parameter "oidc.acr"

Value of registration parameter "default_acr_values"

...

Enabled if "id_token" is present in Token Response, and if "id_token_signed_response_alg" Client Configuration value is not "none"

UserInfo

Enabled if "userinfo_endpoint" is defined in Provider Metadata..

...

ParameterDescription
oidc.acrSpecifies the method filtering. This can be used for filtering method visibility within application based on the received acr_values. One of the received acr_values must values defined by this parameter.oidc.acr_valuesSpecifies which acr_values will be added to authentication request. All the received acr_values are removed and replaced by the values defined by this configuration key.