OpenID Connect CIBA (Client Initiated Backchannel Authentication) is a protocol specified in openid-client-initiated-backchannel-authentication-core-03 and is used for communication between Ubisecure SSO and SSO CIBA Adapter. Ubisecure SSO has two authentication methods which conform to the CIBA specification, SPI OpenID Connect CIBA and Unregistered OpenID Connect CIBA, and can be used to integrate a qualified backchannel authentication service. The differences between the two methods are listed below.
SPI OpenID Connect CIBA
login_hint
sent in the backchannel authentication request is read from a user directory attribute.Unregistered OpenID Connect CIBA
login_hint
sent in the backchannel authentication request is entered by the end-user in the SSO login page.This documentation describes the requirements and tasks for installing and configuring SPI OpenID Connect CIBA and Unregistered OpenID Connect CIBA authentication methods in Ubisecure SSO.
The result of the installation described in this document is a working SPI OpenID Connect CIBA or Unregistered OpenID Connect CIBA authentication method.
The picture below shows the authentication sequence, in which the authentication starts from a user agent, which sends an authentication request to SSO, which then initiates the authentication with the CIBA adapter sending backchannel authentication request.
Prior to SSO 8.8 the authentication method Unregistered OpenID Connect CIBA was known as Backchannel Authentication Adapter. |
Installation of the CIBA Adapter is not covered in this document. Also please note that Ubisecure SSO requires the CIBA adapter instance to be accessible from the SSO server instance, because the authentication is based on backchannel communication between the SSO and the CIBA Adapter.
This chapter goes through the installation process for OpenID Connect CIBA authentication methods in SSO Management UI.
For installation, you need to get the following from the CIBA adapter:
/.well-known/openid-configuration
, for example https://ap.example.com:8443/ciba/.well-known/openid-configuration
jwks_uri
claim in the Provider Metadata.client_id
Create a new Authentication Method in the Authentication methods page and select OpenID Connect CIBA as the Method Type.
Continue with the instructions under Both.
Select which password method should be the first-factor and see which directory service it uses. Verify that the directory service has a conf string password-name
set as shown below, where password.x
is the name of the first-factor password method.
password-name=password.x
If the directory service already has The value of |
Create a new Authentication Method in the Authentication methods page, select SPI OpenID Connect CIBA as the Method Type and select the directory service to be same as the one in the first-factor password method.
Continue with the instructions under Both.
After finishing you should end up in the method's configuration page. You can go there by clicking the method in the list.
Under the SPI OpenID Connect CIBA or Unregistered OpenID Connect CIBA tab:
client_id
in the Client Identifier field.Under the Main tab:
These configuration options are available to be added to "Configuration String" in method settings.
Conf string | Description | Default |
---|---|---|
polling.interval.default | Interval in seconds to wait between token endpoint polling if interval attribute is not provided in authentication response. | 5 |
polling.interval.increase | Number of seconds to increase token polling interval if slow_down error is received from adapter. | 5 |
polling.initial.delay | Number of seconds after which the first token request is sent after a successful authentication response. | 0 |
Conf string | Description | Default |
---|---|---|
directory.mobile.attribute | Name of the user directory attribute used for storing the mobile phone number of the user. | mobile |
directory.ciba.attribute | Name of the user directory attribute which must match the id_token claim defined in accountAttributeClaim . |
|
directory.ciba.loginHint | Name of the user directory attribute whose value is sent as login_hint parameter in the authentication request. |
|
| Name of the id_token claim which must match the user directory attribute defined in directory.ciba.attribute . | sub |
Conf string | Description | Default |
---|---|---|
usernameClaim | Name of the id_token claim which is used as the subject of the unregistered identity. | sub |