Configure OpenID Connect authentication method in SSO Management UI

OpenID Connect method Configuration UI is available in Ubisecure SSO 8.8.x and later

Introduction

This article is intended to be step-by-step guide on how to create a new OpenID Connect (OIDC) authentication method. 

Before you begin please refer your external OIDC Identity Provider's documentation on how to configure and setup new applications. In this scenario, Ubisecure SSO will act as an OpenID Connect Relying Party where as the external Identity Provider will act as an OpenID Connect Provider. One of the key information you need before creating an OIDC method to Ubisecure SSO is that you must have access to the OpenID Provider metadata and JSON Web Key Set (JWKS) of the external Identity Provider. You will need these in steps 4 and 5.

Configuring a new OpenID Connect authentication method

Create OIDC authentication method to Ubisecure SSO

  1. Click New Method... at Global Method Settings tab.

  2. Add title, name and select OpenID Connect as Method Type. Then press OK.

  3. Go to OpenID Connect tab.

  4. Upload Authentication Provider metadata by pressing Upload... at Provider Metadata area.

  5. Upload Authentication Provider JWKS by pressing Upload... at Provider JWKS area



  6. Press Update

Get registration request for external IDP

Registration request and response

In order to configure Ubisecure SSO as OpenID Relying Party in your external OpenID Identity Provider you need information, such as redirect URIs, signing and encryption keys, algorithms and etc., to be configured in the external Identity Provider. For this Ubisecure SSO provides a way to generate a standard OpenID client metadata. The following steps will guide you thought this process.

When you have registered Ubisecure SSO as OpenID Relying Party to the external Identity Provider you either get back a registration response or you need to create it yourself. If the external Identity provider does not provide a standard response you can use the registration request as a baseline and fill in the missing details such as the client ID that is expected by the external Identity Provider.

You may need to modify some additional registration response parameters to make Ubisecure SSO to work with the external IDP. Please refer to OpenID Connect Authentication method - SSO for more details.

Obtaining OpenID Connect Provider metadata

If your OpenID Provider supports the OpenID Connect Discovery specification, you can obtain the OP configuration metadata using a well-known endpoint similar to HTTP GET /.well-known/openid-configuration

In Ubisecure SSO

  1. Press Create to create Registration Request

  2. Send Registration Request to Authentication Provider
  3. Upload Registration Response

Complete authentication method configuration

  1. Press Update
  2. Go to Main tab

  3. Check Enabled
  4. Press Update