WORK IN PROGRESS
*** TO BE REMOVED ONCE PUBLISHED ***
This will replace older KNB article Configure Telia FTN authentication using OIDC
Main changes:
- Method is OpenID Connect, and currently Telia uses JWKS instead of client_secret
- Show new UI on SSO to configure OpenID Connect method
*** TO BE REMOVED ONCE PUBLISHED ***
Useful documentation:
Configure OpenID Connect authentication method in SSO Management UI
OpenID Connect authentication method - SSO
older documentation: https://intra.ubisecure.com/confluence/display/~arto.vainiolehto/OpenID+Connect+method+registration+from+Management+UI ← It shows the IDP side (OAuth2 application)
ticket: https://intra.ubisecure.com/jira/browse/IDS-105
Step by Step
Create an OpenID Connect method. You can do it through SSO Management UI from version 8.8.0. For older versions, you must use SSO API to create the method.
On SSO Management UI, go to Global Method Settings tab and Click New Method
Name it oidc.ftn.1 or something similar. Select "OpenID Connect" as Method Type.
Press OK buton (at the bottom) and the method will be created.
Once the method is created, go to OpenID Connect tab.
Under "Authentication Provider" you will see "Provider Metadata:" and an "Upload" button, which will allow you to upload Telia Tunnistus metadata. Click the button and upload the JSON file corresponding to https://tunnistus.telia.fi/uas/oauth2/metadata.json (Obs: https://tunnistus-pp.telia.fi/uas/oauth2/metadata.json for Telia Tunnistus' pre-production environment)
Press OK and you will see that the "Authentication Provider" metadata is now filled in.
Just below you will see "Provider JWKS:" and another "Upload" button, which will allow you to upload Telia Tunnistus JWKS. Make sure you have saved the file as JSON extension, not JWKS. Click the button and upload the JSON file corresponding to https://tunnistus.telia.fi/uas/oauth2/metadata.jwks (Obs: https://tunnistus-pp.telia.fi/uas/oauth2/metadata.jwks for Telia Tunnistus' pre-production environment)
Press OK and now you will see the JWKS field is filled in.
Now, press "Update" at the bottom.
Registration:
On the method, go to OpenID Connect tab.
Press Create to create Registration Request. This will generate a JSON file.
Save the file to your workstation.
Send Registration Request (the JSON file you just saved, e.g. oidc.ftn.1.json ) to Telia TIBS operations team.
(Telia will create an OAuth2 application on their SSO Management, which will correspond to your OpenID Connect method, and upload the JSON file you sent them. UPLOAD and then ACTIVATE
As a result they will generate a Registration response on JSON format and will send it to you)
Once you receive it from Telia team, come back to OpenID Connect tab and upload the JSON file to the "registration response" field.
Press OK and you will see that the Client Identifier and Client Metadata fields are filled in.
Press Update
Go to "Main" tab, and check Enabled
Press Update
*** END ***
In case the IDP doesn’t generate the registration response:
https://ubisecuredev.atlassian.net/wiki/display/IDS20213/OpenID+Connect+authentication+method+-+SSO
An example client metadata with Ubisecure extensions ← must be edited manually and uploaded in the "Client Metadata" field