OpenID Connect CIBA authentication method - SSO

Contents

Introduction

OpenID Connect CIBA (Client Initiated Backchannel Authentication) is a protocol specified in openid-client-initiated-backchannel-authentication-core-03 and is used for communication between Ubisecure SSO and SSO CIBA Adapter. Ubisecure SSO has two authentication methods which conform to the CIBA specification, SPI OpenID Connect CIBA and Unregistered OpenID Connect CIBA, and can be used to integrate a qualified  backchannel authentication service. The differences between the two methods are listed below.

SPI OpenID Connect CIBA

  • Step-up method (requires a password method as the first factor authentication method).
  • Generates directory identities
  • The login_hint sent in the backchannel authentication request is read from a user directory attribute.

Unregistered OpenID Connect CIBA

  • Unregistered method
  • Generates unregistered identities
  • The login_hint sent in the backchannel authentication request is entered by the end-user in the SSO login page.

This documentation describes the requirements and tasks for installing and configuring SPI OpenID Connect CIBA and Unregistered OpenID Connect CIBA authentication methods in Ubisecure SSO.

The result of the installation described in this document is a working SPI OpenID Connect CIBA or Unregistered OpenID Connect CIBA authentication method.

Ubisecure CIBA Adapter Overview

The picture below shows the authentication sequence, in which the authentication starts from a user agent, which sends an authentication request to SSO, which then initiates the authentication with the CIBA adapter sending backchannel authentication request.

  1. SSO sends backchannel authentication request to the CIBA adapter.
  2. CIBA adapter sends Authentication Request to a 3rd party Authentication Provider.
  3. The 3rd party AP handles the authentication by pushing an authentication request to the user's mobile device.
  4. After the authentication is successful, the 3rd party AP returns the Authentication Response.
  5. SSO receives id_token as Token Response for the latest Token Request. 
    1. Note that while the authentication request was being processed during steps 2 to 5, SSO Server kept polling the CIBA adapter for the authentication status and received status authentication_pending until now.
  6. SSO responds with the authentication result.

Before Installation

System requirements

  • SPI OpenID Connect CIBA
    • Ubisecure SSO 8.8 or later
  • Unregistered OpenID Connect CIBA
    • Ubisecure SSO 8.3 or later
  • Ubisecure CIBA Adapter

Prior to SSO 8.8 the authentication method Unregistered OpenID Connect CIBA was known as Backchannel Authentication Adapter.


Installation of the CIBA Adapter is not covered in this document. Also please note that Ubisecure SSO requires the CIBA adapter instance to be accessible from the SSO server instance, because the authentication is based on backchannel communication between the SSO and the CIBA Adapter.

Installation

This chapter goes through the installation process for OpenID Connect CIBA authentication methods in SSO Management UI.

Preparation

For installation, you need to get the following from the CIBA adapter:

  • CIBA adapter Metadata
    • Standard URL path is /.well-known/openid-configuration, for example https://ap.example.com:8443/ciba/.well-known/openid-configuration
  • CIBA adapter JWKS
    • URL for this is advertised in jwks_uri claim in the Provider Metadata.
  • Client Identifier - client_id

Creating the Authentication Method

Unregistered OpenID Connect CIBA

Create a new Authentication Method in the Authentication methods page and select OpenID Connect CIBA as the Method Type.

Continue with the instructions under Both.

SPI OpenID Connect CIBA

Select which password method should be the first-factor and see which directory service it uses. Verify that the directory service has a conf string password-name set as shown below, where password.x is the name of the first-factor password method.

password-name=password.x

If the directory service already has password-name set, but its value is something else than the name of the first-factor password method, then you can also set it in the SPI OpenID Connect CIBA method after it's been created.

The value of password-name in the authentication method will override the value in the directory service.

Create a new Authentication Method in the Authentication methods page, select SPI OpenID Connect CIBA as the Method Type and select the directory service to be same as the one in the first-factor password method.

Continue with the instructions under Both.

Both OpenID Connect CIBA methods

After finishing you should end up in the method's configuration page. You can go there by clicking the method in the list.

Under the SPI OpenID Connect CIBA or Unregistered OpenID Connect CIBA tab:

  1. Insert client_id in the Client Identifier field.
  2. Press the Update button.
  3. Upload the Authentication Adapter Metadata.
    1. Press the Upload button next to label "Provider Metadata:".
    2. Paste the Authentication Adapter Metadata JSON string in the field or upload the file containing it.
    3. Press OK.
  4. Upload the Authentication Adapter JWKS.
    1. Press the Upload button next to label "Provider JWKS:".
    2. Paste the Authentication Adapter JWKS string in the field or upload the file containing it.
    3. Press OK.

Under the Main tab:

  1. Tick Enabled.
  2. Press the Update button.

Configuration

These configuration options are available to be added to "Configuration String" in method settings.

Both OpenID Connect CIBA methods

Conf stringDescriptionDefault
polling.interval.defaultInterval in seconds to wait between token endpoint polling if interval attribute is not provided in authentication response. 5
polling.interval.increaseNumber of seconds to increase token polling interval if slow_down error is received from adapter.5
polling.initial.delayNumber of seconds after which the first token request is sent after a successful authentication response.0

SPI OpenID Connect CIBA

Conf stringDescriptionDefault
directory.mobile.attribute
Name of the user directory attribute used for storing the mobile phone number of the user.mobile
directory.ciba.attribute 
Name of the user directory attribute which must match the id_token claim defined in accountAttributeClaim.

[directory.mobile.attribute]

directory.ciba.loginHint
Name of the user directory attribute whose value is sent as login_hint parameter in the authentication request.

[directory.ciba.attribute]

accountAttributeClaim
Name of the id_token claim which must match the user directory attribute defined in directory.ciba.attribute.sub

Unregistered OpenID Connect CIBA

Conf stringDescriptionDefault
usernameClaimName of the id_token claim which is used as the subject of the unregistered identity.sub