Versions Compared

Old Version 2

changes.mady.by.user ubisebastian

Saved on

compared with

New Version Current

changes.mady.by.user ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.4

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Note

Unlike other authentication methods, it's not possible to configure OpenID Connect authentication method completely with SSO Management UI, but SSO Management API is required. All the steps here are done using SSO Management API.


Reference of OAuth 2.0 and OpenID Connect 1.0 client implementation in SSO Server authentication method OpenIDConnectMethod.

Table of Contents
maxLevel1

Registration

Process

  1. Create OpenIDConnectMethod authentication method in SSO Server 
    • PUT /sso-api/method/oidc.method.1
    • className=ubilogin.method.provider.openidconnect.OpenIDConnectMethod
  2. Get provider metadata from your OpenID Connect provider
    • GET issuer/.well-known/openedopenid-configuration
    • If provider metadata is not available then need to manually construct provider metadata with required parameters
  3. Register provider metadata with SSO Server
    • PUT /sso-api/method/oidc.method.1/$attribute/metadata
  4. Read jwks_uri parameter from provider metadata, and get provider JSON Web Keys 
    • GET jwks_uri
  5. Register provider keys with SSO Server
    • PUT /sso-api/method/oidc.method.1/$attribute/jwks
  6. Get registration request from SSO Server
    • GET /sso-api/method/oidc.method.1/$attribute/registration
    • If provider does not support registration protocol then this step is optional
  7. Send registration request to OpenID Connect provider, and receive registration response
    • If provider does not support registration protocol then need other method to register SSO Server as client, and receive client_id and client_secret
  8. Register registration response with SSO Server
    • PUT /sso-api/method/oidc.method.1/$attribute/registration
    • If provider does not support registration protocol then need to manually construct registration response with required parameters

...

MethodDescription
PUT

Register provider JSON Web Keys with SSO Server

Body is JWKS formatted public keys (Content-Type: application/jwk-set+json)

GETRead previously registered JWKS
DELETERemove registered JWKS

...

NameDescription

OAuth 2.0 parameters

response_type"code"
redirect_uri

"https://sso.example.com/uas/return/oidc.method.1/redirect"

This value must be registered with OpenID Provider

scope

Value of registration parameter "scope"

"openid" if registration parameter is not defined

stateRandom value
client_id

Value of registration parameter "client_id"


OpenID Connect parameters

nonceRandom value
prompt

"login" if force-authn request is enabled

"none" if is-passive request is enabled

max_age"0" if force-authn request is enabled
ui_locales

When "ui_locales_supported" is a non-empty array of locale tags:

  1. Best match for SSO Server user interface locale in "ui_locales_supported".
  2. Value of registration parameter "default_ui_locales", provided it's also present in "ui_locales_supported".
  3. First item in "ui_locales_supported".

When "ui_locales_supported" is not set:

  1. SSO Server user interface locale.
  2. Value of registration parameter "default_ui_locales".

When "ui_locales_supported" is set, but is an empty array, the parameter "ui_locales" will not be set.

login_hintPass-thru value from authorization request
acr_values

Value of method configuration parameter "oidc.acr"Value of registration _values" in the extension parameter "defaultubisecure_acrrequest_valuesparameters" in the client metadata.

Signed request

Registration parameter "request_object_signing_alg" controls if SSO Server creates signed request. If parameter is not defined then request is not signed.

...

Enabled if "id_token" is present in Token Response, and if "id_token_signed_response_alg" Client Configuration value is not "none"

UserInfo

Enabled if "userinfo_endpoint" is defined in Provider Metadata..

...

Enabled if "introspection_endpoint" is defined in Provider Metadata.

Configuration

Configuration strings 

It is possible to configure openid connect OpenID Connect method via management UI. Following table lists, which parameters can be added info Configuration section when openid connect OpenID Connect method is selected.

ParameterDescription

oidc.acr

Specifies the method filtering. This can be used for filtering method visibility within application based on the received acr_values. One of the received acr_values must values defined by this parameter.

Client metadata

When registering the client metadata as JSON, Ubisecure SSO provides the following extensions:

ParameterTypeSinceDescription

ubisecure_request_object_query_parameters

string array8.4.1When sending an authorization request as Request Object by Value, controls the claims that should be extracted outside of the request object and sent as HTTP query parameters.
ubisecure_request_parametersobject8.4.1Controls static parameters to be sent with authorization requests. The keys on the root level of the object will be mapped as query parameters. Values will be URL encoded. Any JSON type will be accepted and passed as an authorization request parameter
ubisecure_request_modestring8.4.1Controls HTTP method and parameter format used for submitting the authorization request. Value form_post will use form encoded body and POST method. Value query will use query string for parameters and GET method. If not specified the default value is query.

An example client metadata with Ubisecure extensions:

Code Block
{
  "redirect_uris": [
    "https://sso.example.com/method/redirect"
  ],
  "grant_types": [
    "authorization_code"
  ],
  "response_types": [
    "code"
  ],
  "jwks": {
    "keys": [
      {
        "kid": "dDRiW2EFbhJs_GKIH20MIOdRjt0",
        "kty": "RSA",
        "n": ...
        "e": "AQAB"
      }
    ]
  },
  "scope": "openid",
  "id_token_signed_response_alg": "RS256",
  "id_token_encrypted_response_alg": "RSA-OAEP",
  "id_token_encrypted_response_enc": "A128GCM",
  "request_object_signing_alg": "RS256",
  "token_endpoint_auth_method": "private_key_jwt",
  "client_id": "test-client",
  "ubisecure_request_object_query_parameters": [
      "client_id",
      "scope",
      "response_type",
      "acr_values",
      "claims"
  ],
  "ubisecure_request_parameters": {
  	"acr_values": "my-static-acr-values",
    "claims": {
      "some-complex": {
        "key": {
          "value": true
        }
      },
      "another-complex": {
        "some-key": {
          "test": true
        }
      }
    }
  }
}

This would translate to an authorization request

No Format
GET /authorization?request=eyJ...&client_id=test-client&scope=openid&response_type=code&acr_values=my-static-acr-values&claims=%7B%22some-complex%22%3A%7B%22key%22%3A%7B%22value%22%3Atrue%7D%7D%2C%22another-complex%22%3A%7B%22some-key%22%3A%7B%22test%22%3Atrue%7D%7D%7D
Warning
titleURL length

Please note that when sending authorization requests using GET the request URL length might exceed the limit in some browsers. Care must be taken when sending many query parameters using HTTP GET.

Compatibility flags

The following compatibility flags are supported for OpenID Connect authentication methods

FlagSinceApplies toDescription

StrictAudiencePolicy

8.4.1Specific authentication method or system-wideControls JWT aud claim construction and validation policy. If set, the aud claim is required to match the provider's invoked endpoint. If not set, accepts and generates aud claim with issuer, token endpoint and invoked endpoint.

SecuredAuthorizationRequestValidate

8.4.1Specific authentication method or system-wideControls JWT claims validation of secured authorization request. If set, then implement pre 8.4.1 validation. Only iss claim is validated. If not set, then aud, sub, exp and jti claims are validated but only when present.