Unlike other authentication methods, it's not possible to configure OpenID Connect authentication method completely with SSO Management UI, but SSO Management API is required. All the steps here are done using SSO Management API.

Reference of OAuth 2.0 and OpenID Connect 1.0 client implementation in SSO Server authentication method OpenIDConnectMethod.

Registration

Process

Create OpenIDConnectMethod authentication method in SSO Server
- PUT /sso-api/method/oidc.method.1
Get provider metadata from your OpenID Connect provider
- GET issuer/.well-known/opened-configuration
- If provider metadata is not available then need to manually construct provider metadata with required parameters
Register provider metadata with SSO Server
- PUT /sso-api/method/oidc.method.1/$attribute/metadata
Read jwks_uri parameter from provider metadata, and get provider JSON Web Keys
- GET jwks_uri
Register provider keys with SSO Server
- PUT /sso-api/method/oidc.method.1/$attribute/jwks
Get registration request from SSO Server
- GET /sso-api/method/oidc.method.1/$attribute/registration
- If provider does not support registration protocol then this step is optional
Send registration request to OpenID Connect provider, and receive registration response
- If provider does not support registration protocol then need other method to register SSO Server as client, and receive client_id and client_secret
Register registration response with SSO Server
- PUT /sso-api/method/oidc.method.1/$attribute/registration
- If provider does not support registration protocol then need to manually construct registration response with required parameters

/sso-api/method/{id}/$attribute/metadata

Method	Desription
PUT	Register provider metadata with SSO Server Body is Json formatted Provider Metadata
GET	Read previously registered provider metadata Response is Json formatted Provider Metadata
DELETE	Remove registered provider metadata Also removes JWKS and registration response

Method

Desription

PUT

Body is Json formatted Provider Metadata

GET

Read previously registered provider metadata

Response is Json formatted Provider Metadata

DELETE

Remove registered provider metadata

Also removes JWKS and registration response

/sso-api/method/{id}/$attribute/jwks

Method	Description
PUT	Register provider JSON Web Keys with SSO Server Body is JWKS formatted public keys
GET	Read previously registered JWKS
DELETE	Remove registered JWKS

Method

Description

PUT

Body is JWKS formatted public keys

GET

Read previously registered JWKS

DELETE

Remove registered JWKS

/sso-api/method/{id}/$attribute/registration

Method	Description
GET	Generate client registration request Or read previously registered registration response Response is Json formatted registration request
PUT	Register registration response with SSO Server Body is Json formatted registration response
DELETE	Remove any registration Use DELETE before GET to make sure a new registration request is generated

Method

Description

GET

Generate client registration request

Or read previously registered registration response

Response is Json formatted registration request

PUT

Body is Json formatted registration response

DELETE

Remove any registration

Use DELETE before GET to make sure a new registration request is generated

Authentication Request

This chapter describes how SSO Server constructs Authorization Request from information in Provider Metadata and Registration Response.

Request parameters

Name	Description
	OAuth 2.0 parameters
response_type	"code"
redirect_uri	"https://sso.example.com/uas/return/oidc.method.1/redirect" This value must be registered with OpenID Provider
scope	Value of registration parameter "scope" "openid" if registration parameter is not defined
state	Random value
client_id	Value of registration parameter "client_id"
	OpenID Connect parameters
nonce	Random value
prompt	"login" if force-authn request is enabled "none" if is-passive request is enabled
max_age	"0" if force-authn request is enabled
ui_locales	SSO Server user interface locale Value of registration parameter "default_ui_locales"
login_hint	Pass-thru value from authorization request
acr_values	Value of method configuration parameter "oidc.acr" Value of registration parameter "default_acr_values"

Signed request

Registration parameter "request_object_signing_alg" controls if SSO Server creates signed request. If parameter is not defined then request is not signed.

Response

Receives authorization code

Token Request

Request parameters

Name	Description
grant_type	"code"
code	Value from authorization response
redirect_uri	"https://sso.example.com/uas/return/oidc.method.1/redirect"

Client credentials

Registration parameter "token_endpoint_auth_method" controls what client credentials are sent with request. Default value is "client_secret_basic"

Token Validation

SSO Server attempts to choose one of the following token validation mechanisms.

ID Token

Enabled if "id_token" is present in Token Response, and if "id_token_signed_response_alg" Client Configuration value is not "none"

UserInfo

Enabled if "userinfo_endpoint" is defined in Provider Metadata..

Introspection

Enabled if "introspection_endpoint" is defined in Provider Metadata.

Claims Transformation

TODO

Registration

Process

/sso-api/method/{id}/$attribute/metadata

/sso-api/method/{id}/$attribute/jwks

/sso-api/method/{id}/$attribute/registration

Authentication Request

Request parameters

OAuth 2.0 parameters

OpenID Connect parameters

Signed request

Response

Token Request

Request parameters

Client credentials

Token Validation

ID Token

UserInfo

Introspection

Claims Transformation

Browser not supported