...
OpenID Connect CIBA (Client Initiated Backchannel Authentication) is a protocol specified in openid-client-initiated-backchannel-authentication-core-03 and is used for communication between Ubisecure SSO and an OpenID an OpenID Provider (OP).
Ubisecure SSO has two authentication methods which conform to the CIBA specification, SPI OpenID Connect CIBA and Unregistered and Unregistered OpenID Connect CIBA, and can be used to integrate a qualified backchannel authentication service. The differences between the two methods are listed below.
...
The picture below shows the authentication sequence, in which the authentication starts from a user agent, which sends an authentication request to SSO, which then initiates the authentication with the OpenID the OpenID Provider (OP) handling backchannel authentication request.
...
For installation, you need to get the following from the OpenID provider Provider (OP):
- OP Metadata
- Standard URL path is
/.well-known/openid-configuration, for examplehttps://ap.example.com:8443/ciba/.well-known/openid-configuration
- Standard URL path is
- OP JWKS
- URL for this is advertised in
jwks_uriclaim in the Provider OP Metadata.
- URL for this is advertised in
- Client Identifier -
client_id
...
- Insert
client_idin the Client Identifier field. - Press the Update button.
- Upload the OpenID provider OP Metadata.
- Press the Upload button next to label "Provider Metadata:".
- Paste the OP Metadata JSON string in the field or upload the file containing it.
- Press OK.
- Upload the OpenID provider the OP JWKS.
- Press the Upload button next to label "Provider JWKS:".
- Paste the OPr OP JWKS string in the field or upload the file containing it.
- Press OK.
Under the Main tab:
- Tick Enabled.
- Press the Update button.
Configuration
These configuration options are available to be added to "Configuration String" in method settings.
...