OpenID Connect Relying Party partner properties
Define these properties when we configure an OpenID Connect Relying Party partner.
- Client ID
- Value used to identify this Relying Party at the OpenID Connect (OIDC) Provider. This value is required.
- Client Secret
- Value used in combination with the Relying Party to authenticate at the OIDC Provider. Not specifying a Client Secret indicates the client is public. Required to perform the Authorization Code grant, and to complete signing.
- Metadata Endpoint
- The /metadata endpoint URL of the OIDC Provider.
- Issuer Identifier
The expected value of the iss claim in a JWT. If this value does not match the contents of the JWT, then the authentication is rejected.
- Response Types
An array of elements that specify the flow type to run when metadata URL is specified. The flow types are authorization code, implicit flow, or any hybrid flow.
- code
- id_token
- token
For information, see OAuth 2.0 and OIDC workflows.
- Authorization endpoint URL
The /authorization endpoint used to start the OpenID Connect flow at the OIDC Provider.
- Token endpoint URL
- The /token endpoint used to exchange an authorization code for an ID token and access token. Required if code response type is selected. Required to perform the Authorization Code grant. Requires a client secret to be set.
- Signature Algorithm
- Algorithm used to validate the JWT. See the next table for a list of valid values.
Digital Signature or MAC Algorithm JWS alg parameter value HMAC using SHA-2 HS256, HS384, HS512. Performs symmetric signing with the use of a client secret. A client secret is required.
RSASSA-PKCS1-V1_5 Digital Signatures with SHA-2 RS256, RS384, RS512. Performs asymmetric signing with the use of certificates. A JWK endpoint URL or a Signing Key keystore and label is required to perform RS256, RS384, and RS512 signing.
RS256 is the default algorithm.
Elliptic Curve Digital Signatures (ECDSA) with SHA-2 ES256, ES384, ES512. Requires certificate. A value of none denotes that no signing is performed on the issued JWT. none Signature validation behavior is determined by Whether the Relying Party (RP) partner uses the OpenID Provider metadata.
- If the RP partner uses the OpenID Provider's metadata, and the metadata publishes more than one supported signing algorithm, then the RP uses its partner configuration to validate the signature.
- If the RP partner uses the OpenID Provider's metadata, and the metadata publishes only one supported signing algorithm, then the RP uses that single signing algorithm (as published by OpenID Provider's metadata) to validate the signature.
- If the RP partner does not use the OpenID Provider's metadata, then the RP use its partner configuration to validate the signature.
For information, see https://bitbucket.org/b_c/jose4j/wiki/Home.
- Use checked-in certificate
- Select this check box on the JWT Signature Verification page to use a certificate from an existing keystore for signing. If we select this option, we must select a keystore from the Certificate Database menu, and select a certificate from the Certificate Label field.
If we select this option, we cannot select the JWK Endpoint URL option.
- Use JWK endpoint
- Select this check box on the JWT Signature Verification page to use the JWK endpoint of the OIDC provider. If we select this check box, we do not need to specify a Verification Certificate (Certificate Database and Certificate Label).
- Certificate Database
- When the signature algorithm requires a certificate, this property is the keystore that contains the selected certificate to perform the signing. When the signature algorithm does not require a certificate, this property is invalid. We cannot specify a Certificate Database when we specify a Use JWK Endpoint.
- Certificate Label
- When the signature algorithm requires a certificate, this property is the alias of the public key in the selected keystore (certificate database) to use in signature verification. We cannot specify a Certificate Label when we specify a JWK Endpoint URL.
- JWK Endpoint URL
- When the signature algorithm requires a certificate, this property is the JWK Endpoint of the OIDC provider. However, if the metadata endpoint is specified, the JWK URL can be read from metadata information.
This field is required if we do not specify a Use checked-in certificate and we specify an algorithm that requires JWT signatures.
- Key Management Algorithm
- The key management algorithm to use for JWT Decryption. The next table lists the supported algorithms.
Key Management Algorithm JWE alg parameter value The default value none Direct encryption with a shared symmetric key dir AES key wrap A128KW, A192KW, and A256KW AES GCM key encryption A128GCMKW, A192GCMKW, and A256GCMKW Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF ECDH-ES Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW RSAES-PKCS1-V1_5 key encryption RSA1_5 RSAES using OAEP key encryption RSA-OAEP and RSA-OAEP-256
- When the selected algorithm requires a certificate, such as RSA or ECDH algorithms, both the Certificate Database and Certificate Label for the Decryption Certificate must be specified.
- For information, see https://bitbucket.org/b_c/jose4j/wiki/Home.
- Content Encryption Algorithm
The content encryption algorithm to use. The next table lists the supported algorithms.
Content Encryption Algorithm JWE "enc" Parameter Value The default value. none Authenticated encryption with AES-CBC and HMAC-SHA2 A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 Authenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) A128GCM, A192GCM, A256GCM
- If the key management algorithm is set to a value other than none, the content encryption algorithm must also be a value other than none.
- For information, see https://bitbucket.org/b_c/jose4j/wiki/Home.
- Decryption Certificate - Certificate Database
When the key management algorithm requires a certificate, this property is the certificate database (keystore) which contains the selected certificate to perform JWT decryption. When the key management algorithm does not require a certificate, this property is invalid.
- Decryption Certificate - Certificate Label
When the key management algorithm requires a certificate, this property is the alias of the private key in the selected keystore to perform JWT decryption.
- Scope
An array of strings that identify the scopes to request from the provider. Must contain openid. This property is an array of elements.
The default string is openid.
- Userinfo Request - Perform userinfo request automatically
Boolean setting. Select this check box to specify whether to perform a UserInfo request automatically whenever possible.
Select this option if we want to populate the credential (iv-cred) from both the ID token and UserInfo. However, the /userinfo endpoint is optional for OIDC Providers. If your provider does not support the UserInfo endpoint, Security Verify Access cannot complete the request.
Keep in mind that a goal of Relying Parties is to retrieve user information, such as given_name, family_name, andbirthdate, and then populate the credential. The user information is obtained from the ID token and - if the OIDC Provider supports the /userinfo endpoint - from the UserInfo response. The information that is returned in an ID token can differ from the information in /userinfo.
We can choose to populate the credential solely from the ID token that is returned during the selected flow. However, some flows do not have an ID Token, such as response_type=token. (The response_type can be any combination of code, token, and id_token). Choose Whether to perform userinfo request automatically depending on whether your deployment provides /userinfo.
- Token Endpoint Authentication Method
- The token endpoint authentication method. Valid values:
- client_secret_basic
- client_secret_post
- Attribute Mapping
We can use the Attribute Mapping page to define new attributes that can be used to customize claims from attribute sources. Attribute sources can be Fixed, Credential, or LDAP.
To create a new mapping, select New and enter Attribute Name. Select Attribute Source type.
To remove an existing Attribute Name, select the attribute and click Delete.
- Identity mapping
Identity mapping options
- Use the identity mapping configured for this partner's federation
- Do not perform identity mapping
- Use JavaScript transformation for identity mapping
- Use an external web service for identity mapping
If we configure an identity provider, this mapping specifies how to create an assertion containing attributes mapped from a local user account.
If we configure a service provider, this mapping specifies how to match an assertion from the partner to the local user accounts. If we choose JavaScript for mapping, on a subsequent page, we are asked to select the JavaScript file to use.If we choose an external web service, on a subsequent page, we are asked to provide the following information:
- URI format (HTTP or HTTPS)
- Web service URI
- Server Certificate database, if the URI format is HTTPS.
- Client authentication type, if the URI format is HTTPS.
- Message format:
- XML
- WS-Trust
- Advanced Configuration
- Use this configuration to customize the request. Supported options:
- Use the advanced configuration configured for this partner's federation
- Advanced configuration is not required.
- Use JavaScript for advanced configuration
We can use JavaScript to create mapping rules that add optional parameters to OpenID Connect requests. Open ID Connect requests can contain optional request parameters, as supported by the OIDC Provider. For example, max_age, acr_values, and claims.
If we choose to use JavaScript, the federation wizard displays existing advanced configuration mapping rules. Select the existing (already defined) JavaScript mapping rule containing the advanced configuration to use.
Parent topic: Configure an OpenID Connect Relying Party partner