Set up the OIDC Definition API
To configure an API protection definition to be OIDC OP conformant and Financial Grade API compliant, ensure the OIDC Compliant and FAPI Compliant flag are checked. See OIDC Definition and WebSEAL OAuth Config. Follow the guidelines below and the configuration steps in this topic to be completely conformed:
- For both FAPI and OIDC
- Ensure the OIDC well-known endpoint is configured. See OpenID Connect Discovery.
- For FAPI only
- Ensure that each client has a certificate and the public portion of that certificate is added to rt_profile or signing ssl db (required for Request JWT validation). The same client certificate can be added to pdsrv or webseal ssl db for MTLS. Ensure the certificate used for JWT validation is ES256 to meet FAPI requirements. See Configure FAPI Client.
- FAPI requires the signing algorithm used for signing JWT to be ES256. Ensure a certificate where the algorithm that is mentioned is used, to be FAPI Compliant.
- Update Discovery Endpoint. The following parameters are required to be added to metadata.json.
"claims_supported":["realmName","preferred_username","given_name","uid","upn","groupIds","employee_id","name","tenantId","mobile_number","department","job_title","family_name","email","acr"], "tls_client_certificate_bound_access_tokens":<%var supported = true;templateContext.response.body.write(supported);%>
- Set [session] variable ‘require-map’ to 'yes' in webseal. This ensures that HTTP headers are not valid session keys or authentication tokens unless they are received through an MPA. In FAPI, this functionality can be used to ensure each token and the certificate information are build as one unique session without any form of session caching.
- Set Point of Contact to Access Manager Credential.
OIDC Compliance is a prerequisite for FAPI Compliance. The following conformances are configured when the OIDC or FAPI Wizards are checked.
More information on the functionalities performed can be found in OpenID Connect Provider Conformance and FAPI Conformance.
The following are configured when OIDC Compliant flag is check in API Definition API.
- OIDC Conformance (OIDC definition)
- Access Policy - max_age and prompt=none
- Map Rule - authenticationTime
- Map Rule - produce_userinfo_jwt
- Map Rule - redirect_uri
- Map Rule - nonce
- Map Rule - assert_no_code_reuse
- STS Chain - Userinfo as JWT
- STS Chain - Request JWT (With a module for mapping rule and validate Request Object added by default this code only runs if FAPI flag is turned on in the definition)
- STS Chain - Client Authentication
- FAPI Conformance
The following articles are configured when FAPI Compliant flag is checked in WebSEAL OAuth and OpenID Connect Provider Configuration and API Protected Definition accordingly.
WebSEAL - OAuth and OpenID Connect Provider Configuration (FAPI Compliant flag) OpenID Connect and API Protection (FAPI Compliant flag) Authentication Mechanism - FAPI Cert Authentication with FAPI_CertEAI.js (Available by default in Verify Access 10) Map Rule - s_hash WebSEAL Config - Configure FAPI Cert EAI Map Rule - Disallow response_type code WebSEAL Config - Configure HTTP Transformation for Sample Resource Endpoint Map Rule - Disallow state in request parameter Access Policy - isam_oauth_unauth acl to junction/sps/auth Map Rule - Disallow state in request parameter STS Chain - Request JWT (With a module for mapping rule that triggers FAPI_ValidateJWT.js. This code only runs if FAPI flag is turned on in the definition) Access Policy - check for Request JWT in Auth Request FAPI Definition Configuration Access Policy - check for Request JWT in Auth Request
Steps
- OIDC Definition
- In the appliance dashboard, select Federation > OpenID Connect and API.
- In the Definitions tab, check the OIDC Compliant and FAPI Compliant check-box.
- WebSEAL OAuth Config
- In the appliance dashboard, select Web > Reverse Proxy.
- Select a reverse proxy instance.
- Navigate to Manage > AAC and Federation Configuration > OAuth and OpenID Connect Provider Configuration.
- In the Main tab, check the FAPI compliant check-box.
Parent topic: Conformance