OpenID Connect Identity Provider

OpenId Connect (OIDC) is a standard published in 2014 that is built on top of the Oauth 2.0. It provides support for user authentication, and among others, allow the clients to obtain end-user identity attributes in an interoperable manner and manage multiple sessions. It is meant to be a lightweight, modern, JSON-based alternative for a SAML.

OpenId Connect specification defines Relying Party (RP) that is an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) that is an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication OpenID Provider issues an ID Token which is a JSON Web Token (JWT) compliant JSON containing a set of claims - user identity attributes.

The Onegini IdP can act as an OIDC RP allowing the user to authenticate against external OIDC IdP and by performing regular login, signup or automatic signup.

This chapter will guide you though all steps that are required to fully configure and use an external OIDC IdP with Onegini IdP.

Prerequisites

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IdP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
  • External IdP (Identity Provider of OIDC type) must be running externally from Onegini IdP

Configure external OIDC IdP in Onegini IdP

To register a new IdP of OIDC type please visit the http://idp-core.dev.onegini.me:8082/admin page and login to the Onegini IdP admin console. Select Config menu option and navigate to Identity Providers tab.Hit the + button to create a new Identity Provider configuration. Fill in the form as follows:

  1. Type - open the dropdown list and select OpenID Connect
  2. Name - name your OIDC IdP instance
  3. Authentication Level - choose desired authentication level
  4. Enabled - mark your Identity Provider as enabled
  5. Synchronise Attributes - flag indicating whether the Onegini IdP should synchronize person's profile attributes with the ones retrieved from OIDC Idp.
  6. Client Authentication Method - the Onegini IdP can be configured to authenticate against the OIDC IdP either using client credentials (Client Secret Basic) or signed JWT (Private key JWT), in the subsections below you will more detailed explanations on how to configure and use both.
  7. Client ID - the client identifier as configured within OIDC IdP
  8. Client Secret - required only for Client Secret Basic client authentication method
  9. Manual metadata setup - flag indicating whether data for authentication flow should be provided manually or when disabled, be fetched automatically from discovery URL.

    Following fields are available when Manual metadata setup is disabled (the default behavior):

    • Discovery URL - the location of the discovery endpoint following the well-known semantics as described in the OIDC specification.
    • Metadata Expiration Time - time period in seconds specifying how long metadata fetched from Discovery URL is kept in redis. Value kept in redis is automatically refreshed when idp is updated.

      Following fields are available when Manual metadata setup is enabled:

    • Authorization URL - url when authorization will take place
    • IDToken URL - url where IDToken will be requested
    • UserInfo URL - url where UserInfo will be requested
    • JWKS URL - url where JSON Web Key Set is specified
    • Issuer - expected issuer value received in IDToken
    • End session URL - url where user can end session
  10. Scopes - list of scopes which should be requested during authorization flow from OIDC IdP, the openid scope is always sent by default

  11. Claims - additional claims that should be requested during the authorization flow from the OIDC IdP, please note that some claims are also represented by standard scopes as described in the OIDC specification
  12. ID Token encryption required - flag indicating whether the Onegini IdP will hardly require the id-token to be encrypted, see signing and encryption section for more details
  13. UserInfo encryption required - flag indicating whether the Onegini IdP will hardly require the UserInfo to be encrypted, see signing and encryption section for more details
  14. Front channel logout - flag indicating whether this Identity Provider will participate in logout process

Client Secret Basic

Client Secret Basic method uses credentials as username and password and transports them within Basic Authentication header allowing the Onegini IdP to be correctly recognised and authenticated as RP within OIDC IdP.

Private key JWT

Private key JWT client authentication method uses current signing key to sign the JWT, please check the Configure JWT Keys chapter for more details. Also you need to ensure that the OpenID Provider (OP) has access to the public keys exposed by the Onegini IdP via JWKs URI. The Onegini IdP acting as Relaying Party (RP) creates and signs a JWT which is validated by the IdP in order to proof its authenticity.

Signing and encryption

The Onegini IdP supports encrypted and signed id-tokens and user-info responses. Additionally, you can configure it to hardly require id-token to be encrypted and signed by selecting ID Token encryption required configuration option. In case you have enable this property and the ODIC IdP will respond with unencrypted id-token the authorization flow will fail and user will not be able to successfully login.

JWKs Uri

The Onegini IdP supports key rotation and allows OIDC IdPs to dynamically discover currently active certificates which should be used in signature validation process. The JWKs uri can be found under /oidc/.well-known/jwks.json (ex. http://idp-core.dev.onegini.me/oidc/.well-known/jwks.json) path.