OpenID Connect Identity Provider¶
OpenId Connect (OIDC) is a standard published in 2014 that is built on top of the Oauth 2.0. It provides support for user authentication, and among others, allow the clients to obtain end-user identity attributes in an interoperable manner and manage multiple sessions. It is meant to be a lightweight, modern, JSON-based alternative for a SAML.
OpenId Connect specification defines Relying Party (RP) that is an OAuth 2.0 Client requiring End-User authentication, and OpenID Provider (OP) that is an OAuth 2.0 Authentication Server which performs this authentication. As a result of successful authentication OpenID Provider issues an ID Token which is a JSON Web Token (JWT) compliant JSON containing a set of claims - user identity attributes.
The Onegini IdP can act as an OIDC RP allowing the user to authenticate against external OIDC IdP and by performing regular login, signup or automatic signup.
This chapter will guide you though all steps that are required to fully configure and use an external OIDC IdP with Onegini IdP.
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
- External IdP (Identity Provider of OIDC type) must be running externally from Onegini IdP
Configure external OIDC IdP in Onegini IdP¶
To register a new IdP of OIDC type please visit the http://idp-core.dev.onegini.me:8082/admin page and login to the Onegini IdP admin console. Select
Config menu option
and navigate to
Identity Providers tab.Hit the
+ button to create a new Identity Provider configuration. Fill in the form as follows:
Type- open the dropdown list and select
Name- name your OIDC IdP instance
Authentication Level- choose desired authentication level
Enabled- mark your Identity Provider as enabled
Synchronise Attributes- flag indicating whether the Onegini IdP should synchronize person's profile attributes with the ones retrieved from OIDC Idp.
Client Authentication Method- the Onegini IdP can be configured to authenticate against the OIDC IdP either using client credentials (Client Secret Basic) or signed JWT (Private key JWT), in the subsections below you will more detailed explanations on how to configure and use both.
Client ID- the client identifier as configured within OIDC IdP
Client Secret- required only for
Client Secret Basicclient authentication method
Manual metadata setup- flag indicating whether data for authentication flow should be provided manually or when disabled, be fetched automatically from discovery URL.
Following fields are available when
Manual metadata setupis disabled (the default behavior): -
Discovery URL- the location of the discovery endpoint following the well-known semantics as described in the OIDC specification. -
Metadata Expiration Time- time period in seconds specifying how long metadata fetched from
Discovery URLis kept in redis. Value kept in redis is automatically refreshed when idp is updated.
Following fields are available when
Manual metadata setupis enabled: -
Authorization URL- url when authorization will take place -
IDToken URL- url where IDToken will be requested -
UserInfo URL- url where UserInfo will be requested -
JWKS URL- url where JSON Web Key Set is specified -
Issuer- expected issuer value received in IDToken -
End session URL- url where user can end session
Scopes- list of scopes which should be requested during authorization flow from OIDC IdP, the
openidscope is always sent by default
Claims- additional claims that should be requested during the authorization flow from the OIDC IdP, please note that some claims are also represented by standard scopes as described in the OIDC specification
ID Token encryption required- flag indicating whether the Onegini IdP will hardly require the
id-tokento be encrypted, see signing and encryption section for more details
UserInfo encryption required- flag indicating whether the Onegini IdP will hardly require the
UserInfoto be encrypted, see signing and encryption section for more details
Front channel logout- flag indicating whether this Identity Provider will participate in logout process
Client Secret Basic¶
Client Secret Basic method uses credentials as username and password and transports them within Basic Authentication header allowing the Onegini IdP to be correctly recognised and authenticated as RP within OIDC IdP.
Private key JWT¶
Private key JWT client authentication method uses current signing key to sign the JWT, please check the Configure JWT Keys chapter for more details. Also you need to ensure that the OpenID Provider (OP) has access to the public keys exposed by the Onegini IdP via JWKs URI. The Onegini IdP acting as Relaying Party (RP) creates and signs a JWT which is validated by the IdP in order to proof its authenticity.
Signing and encryption¶
The Onegini IdP supports encrypted and signed id-tokens and user-info responses. Additionally, you can configure it to hardly require id-token to be encrypted and signed
ID Token encryption required configuration option. In case you have enable this property and the ODIC IdP will respond with unencrypted id-token the authorization
flow will fail and user will not be able to successfully login.
The Onegini IdP supports key rotation and allows OIDC IdPs to dynamically discover currently active certificates which should be used in signature validation process.
The JWKs uri can be found under