itsme Identity Provider¶
Itsme is an identity provider that provides digital profile for all adult Belgian citizen. Itsme is built on top of OpenId Connect (OIDC) standard.
OpenId Connect specification defines Relying Party (RP) that is an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) that is an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication OpenID Provider issues an ID Token which is a JSON Web Token (JWT) compliant JSON containing a set of claims - user identity attributes.
The Onegini IdP can act as an OIDC RP allowing the user to authenticate against external OIDC IdP and by performing regular login, signup or automatic signup.
This chapter will guide you through all steps that are required to fully configure and use an external itsme IdP with Onegini IdP.
Itsme requires Relying Party to be running on https.
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must be running, for the sake of this guide we assume it's available under https://idp-core.dev.onegini.me address
Configure external itsme IdP in Onegini IdP¶
To register a new IdP of itsme type please visit the https://idp-core.dev.onegini.me:8445/admin page and login to the Onegini IdP admin console. Select
Configuration menu option
and navigate to
Identity Providers tab.Hit the
+ button to create a new Identity Provider configuration. Fill in the form as follows:
Type- open the dropdown list and select
Name- name your itsme IdP instance
Authentication Level- choose desired authentication level
Enabled- mark your Identity Provider as enabled
Synchronise Attributes- flag indicating whether the Onegini IdP should synchronize person's profile attributes with the ones retrieved from itsme Idp.
Client ID- the client identifier as configured within itsme IdP
Login Service Code- Login Service that you received from itsme after registering your application
Security Level- Choose security level that should be used when authenticating in itsme
Discovery URL- the location of the discovery endpoint following the well-known semantics as described in the OIDC specification
Metadata Expiration Time- time period in seconds specifying how long metadata fetched from
Discovery URLis kept in redis. Value kept in redis is automatically refreshed when idp is updated.
Scopes- list of scopes which should be requested during authorization flow from OIDC IdP, the
openidscope is always sent by default
Claims- additional claims that should be requested during the authorization flow from the OIDC IdP, please note that some claims are also represented by standard scopes
Front channel logout- flag indicating whether this Identity Provider will participate in logout process
as described in the OIDC specification
Itsme callback uri¶
Itsme requires a callback uri to be registered for an application. The value you should register is https://idp-core.dev.onegini.me/connect/auth/itsme/callback
Custom attribute mapping¶
Custom attribute mapping section allows you to map retrieved claim name values returned in user-info to attribute with a custom name. If the requested claim in present in the user-info response its value will be saved as a custom attribute and will be returned in SAML response.
Signing and encryption¶
The Onegini IdP expects encrypted and signed id-tokens and user-info responses when using itsme.
Decryption and signature verification is executed with usage of keys and jwks uri that can be displayed in admin console in
JWT Key Configuration.