Provider metadata reference - SSO

SSO Server publishes it's OAuth 2.0 and OpenID Connect 1.0 endpoint addresses and other capabilities and features in a metadata document.

Metadata allows applications to dynamically discover endpoints and features.

The following lists metadata parameters published by SSO Server

NameDescription

OAuth 2.0 parameters

issuerIssuer identifier
authorization_endpointAuthorization endpoint
token_endpointToken endpoint
jwks_uriIssuer's public keys as JSON Web Key Set
revocation_endpointRevocation endpoint
introspection_endpointIntrospection endpoint

scopes_supported = [

"openid",

"userinfo" ]

Scope values supported

In addition client_id values of registered clients are allowed as scope values

response_types_supported = [ "code" ]

grant_types_supported = [

"authorization_code", "password",

"refresh_token",

"urn:ietf:params:oauth:grant-type:saml2-bearer",

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp",

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" ]


token_endpoint_auth_methods_supported = [

"client_secret_post",

"client_secret_basic",

"client_secret_jwt",

"private_key_jwt",

"none"]

See Client authentication - SSO

token_endpoint_auth_signing_alg_values_supported = [

"RS256",

"HS256" ]

JWS algorithm identifiers

RSA is used with asymmetric keys, HMAC is used with symmetric keys

revocation_endpoint_auth_methods_supportedsame as token_endpoint_auth_methods_supported
revocation_endpoint_auth_signing_alg_values_supported same as token_endpoint_auth_signing_alg_values_supported
introspection_endpoint_auth_methods_supported same as token_endpoint_auth_methods_supported
introspection_endpoint_auth_signing_alg_values_supported same as token_endpoint_auth_signing_alg_values_supported

code_challenge_methods_support = [

"S256",

"plain" ]

Supported code_challenge_methods for OAuth2.0 PKCE.

See RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients.


OpenID Connect 1.0 parameters

userinfo_endpointUserInfo endpoint
subject_types_supported = [ "public" ]
id_token_signing_alg_values_supported same as token_endpoint_auth_signing_alg_values_supported
id_token_encryption_alg_values_supported

JWE algorithm identifiers

Encryption key management algorithms

Interop setting "EncryptAES256" controls if 256bit algorithms are available

id_token_encryption_enc_values_supported

JWE algorithm identifiers

Content encryption algorithms

userinfo_signing_alg_values_supportedsame as id_token_signing_alg_values_supported

userinfo_encryption_alg_values_supported

same as id_token_encryption_alg_values_supported
userinfo_encryption_enc_values_supportedsame as id_token_encryption_enc_values_supported
request_object_signing_alg_values_supported same as id_token_signing_alg_values_supported
request_object_encryption_alg_values_supportedsame as id_token_encryption_alg_values_supported
request_object_encryption_enc_values_supportedsame as id_token_signing_alg_values_supported

References