Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor format fixes

...

OpenID Connect CIBA (Client Initiated Backchannel Authentication) is a protocol specified in openid-client-initiated-backchannel-authentication-core-03 and is used for communication between Ubisecure SSO and SSO CIBA Adapter. an OpenID Provider (OP).

Ubisecure SSO has two authentication methods which conform to the CIBA specification, SPI OpenID Connect CIBA and Unregistered and Unregistered OpenID Connect CIBA, and can be used to integrate a qualified  backchannel authentication service. The differences between the two methods are listed below.

...

The result of the installation described in this document is a working SPI OpenID Connect CIBA or Unregistered OpenID Connect CIBA authentication method.

...

Backchannel Authentication Flow

The picture below shows the authentication sequence, in which the authentication starts from a user agent, which sends an authentication request to SSO, which then initiates the authentication with the CIBA adapter sending the OpenID Provider (OP) handling backchannel authentication request.

  1. SSO sends backchannel authentication request to the CIBA adapterOP.
  2. CIBA adapter OP sends Authentication Request to a 3rd party Authentication Provider.
  3. The 3rd party AP handles the authentication by pushing an authentication request to the user's mobile device.
  4. After the authentication is successful, the 3rd party AP returns the Authentication Response.
  5. SSO receives id_token as Token Response for the latest Token Request. 
    1. Note that while the authentication request was being processed during steps 2 to 5, SSO Server kept polling the CIBA adapter OP for the authentication status and received status authentication_pending until now.
  6. SSO responds with the authentication result.

Gliffy
imageAttachmentIdatt9165283688
baseUrlhttps://ubisecuredev.atlassian.net/wiki
macroId240a67c6-5dbf-46e1-9fde-322ca8068220
nameSSO - UBAA Authentication

...

diagramAttachmentId

System requirements

  • SPI OpenID Connect CIBA
    • Ubisecure SSO 8.8 or later
  • Unregistered OpenID Connect CIBA
    • Ubisecure SSO 8.3 or later
  • Ubisecure CIBA Adapter
Info

Prior to SSO 8.8 the authentication method Unregistered OpenID Connect CIBA was known as Backchannel Authentication Adapter.

Installation of the CIBA Adapter is not covered in this document. Also please note that Ubisecure SSO requires the CIBA adapter instance to be accessible from the SSO server instance, because the authentication is based on backchannel communication between the SSO and the CIBA Adapter.

...

att9165283691
containerId9165283675
timestamp1707987994207

Installation

This chapter goes through the installation process for OpenID Connect CIBA authentication methods in SSO Management UI.

...

For installation, you need to get the following from the CIBA adapterOpenID Provider (OP):

  • CIBA adapter OP Metadata
    • Standard URL path is /.well-known/openid-configuration, for example https://ap.example.com:8443/ciba/.well-known/openid-configuration
    CIBA adapter
  • OP JWKS
    • URL for this is advertised in jwks_uri claim in the Provider OP Metadata.
  • Client Identifier - client_id

...

  1. Insert client_id in the Client Identifier field.
  2. Press the Update button.
  3. Upload the Authentication Adapter OP Metadata.
    1. Press the Upload button next to label "Provider Metadata:".
    2. Paste the Authentication Adapter OP Metadata JSON string in the field or upload the file containing it.
    3. Press OK.
  4. Upload the Authentication Adapter the OP JWKS.
    1. Press the Upload button next to label "Provider JWKS:".
    2. Paste the Authentication Adapter OP JWKS string in the field or upload the file containing it.
    3. Press OK.

Under the Main tab:

  1. Tick Enabled.
  2. Press the Update button.

Configuration

These configuration options are available to be added to "Configuration String" in method settings.

...

Conf stringDescriptionDefault
polling.interval.defaultInterval in seconds to wait between token endpoint polling if interval attribute is not provided in authentication response. 5
polling.interval.increaseNumber of seconds to increase token polling interval if slow_down error is received from adapterOP.5
polling.initial.delayNumber of seconds after which the first token request is sent after a successful authentication response.0

...