Provider metadata reference - SSO
SSO Server publishes it's OAuth 2.0 and OpenID Connect 1.0 endpoint addresses and other capabilities and features in a metadata document.
Metadata allows applications to dynamically discover endpoints and features.
The following lists metadata parameters published by SSO Server
Name | Description |
---|---|
OAuth 2.0 parameters | |
issuer | Issuer identifier |
authorization_endpoint | Authorization endpoint |
token_endpoint | Token endpoint |
jwks_uri | Issuer's public keys as JSON Web Key Set |
revocation_endpoint | Revocation endpoint |
introspection_endpoint | Introspection endpoint |
scopes_supported = [ "openid", "userinfo" ] | Scope values supported In addition client_id values of registered clients are allowed as scope values |
response_types_supported = [ "code" ] | |
grant_types_supported = [ "authorization_code", "password", "refresh_token", "urn:ietf:params:oauth:grant-type:saml2-bearer", "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp", "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" ] | |
token_endpoint_auth_methods_supported = [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", "none"] | See Client authentication - SSO |
token_endpoint_auth_signing_alg_values_supported = [ "RS256", "HS256" ] | JWS algorithm identifiers RSA is used with asymmetric keys, HMAC is used with symmetric keys |
revocation_endpoint_auth_methods_supported | same as token_endpoint_auth_methods_supported |
revocation_endpoint_auth_signing_alg_values_supported | same as token_endpoint_auth_signing_alg_values_supported |
introspection_endpoint_auth_methods_supported | same as token_endpoint_auth_methods_supported |
introspection_endpoint_auth_signing_alg_values_supported | same as token_endpoint_auth_signing_alg_values_supported |
code_challenge_methods_support = [ "S256", "plain" ] | Supported code_challenge_methods for OAuth2.0 PKCE. See RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients. |
OpenID Connect 1.0 parameters | |
userinfo_endpoint | UserInfo endpoint |
subject_types_supported = [ "public" ] | |
id_token_signing_alg_values_supported | same as token_endpoint_auth_signing_alg_values_supported |
id_token_encryption_alg_values_supported | JWE algorithm identifiers Encryption key management algorithms Interop setting "EncryptAES256" controls if 256bit algorithms are available |
id_token_encryption_enc_values_supported | JWE algorithm identifiers Content encryption algorithms |
userinfo_signing_alg_values_supported | same as id_token_signing_alg_values_supported |
userinfo_encryption_alg_values_supported | same as id_token_encryption_alg_values_supported |
userinfo_encryption_enc_values_supported | same as id_token_encryption_enc_values_supported |
request_object_signing_alg_values_supported | same as id_token_signing_alg_values_supported |
request_object_encryption_alg_values_supported | same as id_token_encryption_alg_values_supported |
request_object_encryption_enc_values_supported | same as id_token_signing_alg_values_supported |