OpenID Connect Identity Provider
OpenId Connect (OIDC) is a standard published in 2014 that is built on top of the Oauth 2.0. It provides support for user authentication, and among others, allow the clients to obtain end-user identity attributes in an interoperable manner and manage multiple sessions. It is meant to be a lightweight, modern, JSON-based alternative for a SAML.
OpenId Connect specification defines Relying Party (RP) that is an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) that is an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication OpenID Provider issues an ID Token which is a JSON Web Token (JWT) compliant JSON containing a set of claims - user identity attributes.
The Onegini IDP can act as an OIDC RP allowing the user to authenticate against external OIDC IdP and by performing regular login, signup or automatic signup.
This chapter will guide you though all steps that are required to fully configure and use an external OIDC IdP with Onegini IDP.
What is required?
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IDP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
- External IdP (Identity Provider of OIDC type) must be running externally from Onegini IDP
Configure external OIDC IdP in Onegini IDP
To register a new IdP of OIDC type please visit the http://idp-core.dev.onegini.me:8082/admin page and login to the Onegini IDP admin console. Select Config
menu option
and navigate to Identity Providers
tab.Hit the +
button to create a new Identity Provider configuration. Fill in the form as follows:
Type
- open the dropdown list and selectOpenID Connect
Name
- name your OIDC IdP instanceAuthentication Level
- choose desired authentication levelEnabled
- mark your Identity Provider as enabledSynchronise Attributes
- flag indicating whether the Onegini IDP should synchronize person's profile attributes with the ones retrieved from OIDC Idp.Client Authentication Method
- the Onegini IDP can be configured to authenticate against the OIDC IdP either using client credentials (Client Secret Basic) or signed JWT (Private key JWT), in the subsections below you will more detailed explanations on how to configure and use both.Client ID
- the client identifier as configured within OIDC IdPClient Secret
- required only forClient Secret Basic
client authentication methodManual metadata setup
- flag indicating whether data for authentication flow should be provided manually or when disabled, be fetched automatically from discovery URL.Following fields are available when
Manual metadata setup
is disabled (the default behavior):Discovery URL
- the location of the discovery endpoint following the well-known semantics as described in the OIDC specification.Metadata Expiration Time
- time period in seconds specifying how long metadata fetched fromDiscovery URL
is kept in redis. Value kept in redis is automatically refreshed when idp is updated.Following fields are available when
Manual metadata setup
is enabled:Authorization URL
- url when authorization will take placeIDToken URL
- url where IDToken will be requestedUserInfo URL
- url where UserInfo will be requestedJWKS URL
- url where JSON Web Key Set is specifiedIssuer
- expected issuer value received in IDToken
Scopes
- list of scopes which should be requested during authorization flow from OIDC IdP, theopenid
scope is always sent by defaultClaims
- additional claims that should be requested during the authorization flow from the OIDC IdP, please note that some claims are also represented by standard scopes as described in the OIDC specificationID Token encryption required
- flag indicating whether the Onegini IDP will hardly require theid-token
to be encrypted, see signing and encryption section for more detailsUserInfo encryption required
- flag indicating whether the Onegini IDP will hardly require theUserInfo
to be encrypted, see signing and encryption section for more details
Client Secret Basic
Client Secret Basic method uses credentials as username and password and transports them within Basic Authentication header allowing the Onegini IDP to be correctly recognised and authenticated as RP within OIDC IdP.
Private key JWT
Private key JWT client authentication method uses current signing key to sign the JWT, please check the Configure JWT Keys chapter for more details. Also you need to ensure that the OpenID Provider (OP) has access to the public keys exposed by the Onegini IDP via JWKs URI. The Onegini IDP acting as Relaying Party (RP) creates and signs a JWT which is validated by the IdP in order to proof its authenticity.
Signing and encryption
The Onegini IDP supports encrypted and signed id-tokens and user-info responses. Additionally, you can configure it to hardly require id-token to be encrypted and signed
by selecting ID Token encryption required
configuration option. In case you have enable this property and the ODIC IdP will respond with unencrypted id-token the authorization
flow will fail and user will not be able to successfully login.
JWKs Uri
The Onegini IDP supports key rotation and allows OIDC IdPs to dynamically discover currently active certificates which should be used in signature validation process.
The JWKs uri can be found under /oidc/.well-known/jwks.json
(ex. http://idp-core.dev.onegini.me/oidc/.well-known/jwks.json
) path.