itsme Identity Provider¶
Itsme is an identity provider that provides digital profile for all adult Belgian citizen. Itsme is built on top of OpenId Connect (OIDC) standard.
OpenId Connect specification defines Relying Party (RP) that is an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) that is an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication OpenID Provider issues an ID Token which is a JSON Web Token (JWT) compliant JSON containing a set of claims - user identity attributes.
The Onegini IdP can act as an OIDC RP allowing the user to authenticate against external OIDC IdP and by performing regular login, signup or automatic signup.
This chapter will guide you through all steps that are required to fully configure and use an external itsme IdP with Onegini IdP.
Itsme requirements¶
Itsme requires Relying Party to be running on https.
Prerequisites¶
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must be running, for the sake of this guide we assume it's available under https://idp-core.dev.onegini.me address
Configure external itsme IdP in Onegini IdP¶
To register a new IdP of itsme type please visit the https://idp-core.dev.onegini.me:8445/admin page and login to the Onegini IdP admin console. Select Configuration
menu option
and navigate to Identity Providers
tab.Hit the +
button to create a new Identity Provider configuration. Fill in the form as follows:
Type
- open the dropdown list and selectitsme
Name
- name your itsme IdP instanceAuthentication Level
- choose desired authentication levelEnabled
- mark your Identity Provider as enabledSynchronise Attributes
- flag indicating whether the Onegini IdP should synchronize person's profile attributes with the ones retrieved from itsme Idp.Client ID
- the client identifier as configured within itsme IdPLogin Service Code
- Login Service that you received from itsme after registering your applicationSecurity Level
- Choose security level that should be used when authenticating in itsmeDiscovery URL
- the location of the discovery endpoint following the well-known semantics as described in the OIDC specificationMetadata Expiration Time
- time period in seconds specifying how long metadata fetched fromDiscovery URL
is kept in redis. Value kept in redis is automatically refreshed when idp is updated.Scopes
- list of scopes which should be requested during authorization flow from OIDC IdP, theopenid
scope is always sent by defaultClaims
- additional claims that should be requested during the authorization flow from the OIDC IdP, please note that some claims are also represented by standard scopesFront channel logout
- flag indicating whether this Identity Provider will participate in logout process
as described in the OIDC specification
Itsme callback uri¶
Itsme requires a callback uri to be registered for an application. The value you should register is https://idp-core.dev.onegini.me/connect/auth/itsme/callback
Custom attribute mapping¶
Custom attribute mapping section allows you to map retrieved claim name values returned in user-info to attribute with a custom name. If the requested claim in present in the user-info response its value will be saved as a custom attribute and will be returned in SAML response.
Signing and encryption¶
The Onegini IdP expects encrypted and signed id-tokens and user-info responses when using itsme.
Decryption and signature verification is executed with usage of keys and jwks uri that can be displayed in admin console in Configuration
-> System
-> JWT Key Configuration
.