This document is intended to help you configure trust with an OpenID Connect corporate identity provider. In this scenario Identity Authentication acts as a proxy to delegate the authentication to the OpenID Connect corporate identity provider.
Currently only Microsoft Azure is supported as OpenID Connect corporate identity provider.
Identity Authentication can use an OpenID Connect identity provider as an external authenticating authority. Identity Authentication thus acts as a proxy to delegate authentication to the external corporate identity provider. The requests for authentication sent by the relying party will be forwarded to the corporate identity provider.
As an identity provider proxy, Identity Authentication will act as an OpenID identity provider to the relying party, and as relying party to the corporate identity provider. Once a user is authenticated at the corporate identity provider, successive authentication requests from relying parties, which use the same corporate identity provider will not be forwarded to it as long as the session at Identity Authentication is active. Identity Authentication will issue JSON Web Tokens (JWTs) based on the user data received during the first authentication.
To use Identity Authentication as a proxy to delegate authentication to an external OpenID Connect corporate identity provider you have to configure trust with that corporate identity provider.
To configure trust with the corporate identity provider, follow the procedures below:
Configure Identity Authentication as an application at the corporate identity provider side.
-
You have registered Identity Authentication as an application at the corporate identity provider.
-
You have created a client secret.
Use the client credentials of the application's registration for Client ID and Client Secret. Use corporate identity provider tenant as Issuer. You can retrieve the information by calling the discovery endpoint of the corporate identity provider:
https://<OpenID-Connect-IdP>/.well-known/openid-configuration -
(For the authorization code flow) - You have configured the callback endpoint of the Identity Authentication tenant as
Redirect URIhttps://<tenant_id>.accounts.ondemand.com/oauth2/callback
The information retrieved from .well-known/openid-configuration endpoint must contain:
|
Attribute |
Notes |
|---|---|
|
|
Required. Must be a valid URI. |
|
|
Required. Must be a valid URI. |
|
|
Required. Must be a valid URI. |
|
|
Required. Must be a valid URI. |
|
|
Optional. If present it must be a valid URI.
|
|
|
Optional.
|
Configure the corporate identity provider in the administration console for Identity Authentication.
-
You are assigned the Manage Corporate Identity Providers role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
-
You have registered Identity Authentication as an application at the corporate identity provider.
-
Access the tenant's administration console for Identity Authentication by using the console's URL.
The URL has the following pattern:
https://<tenant ID>.accounts.ondemand.com/adminTenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID. For more information about your tenants, see Viewing Assigned Tenants and Administrators.
If you have a configured custom domain, the URL has the following pattern:
<your custom domain>/admin. -
Under Identity Providers, choose the Corporate Identity Providers tile.
-
Select the corporate identity provider that you want to configure.
-
Under OpenID Connect Configuration enter the following information for the corporate identity provider:
Configuration
Notes
Discovery URL
Required. Issuer or metadata URL of the corporate identity provider.
Issuer
Optional. Issuer URL of the corporate identity provider. Must be
httpsand equal to the Issuer in the corporate identity provider OpenID Connect metadata.Client ID
Required. The Client ID of the application on the corporate identity provider side.
Client Authentication Method
Optional. Choose from:
-
Client secret in body (default choice)
-
Client secret in authorization header
-
Private key JWT
If possible, choose Private key JWT. This choice allows also automatic credential rotation.
Client Secret
The Client Secret of the application on the corporate identity provider side.
Required when Client Authentication Method is Client secret in body or Client secret in authorization header. The Client Secret of the application on the corporate identity provider side.
-
-
Add additional scopes if needed.
You can have up to 20 scopes. The
openidscope is added by default. Each scope can have a length of up to 99 characters. -
Choose the Validate button to check the configuration.
A client credentials token request is sent to the corporate identity provider to receive a token to validate the client credentials.
-
Save your configuration.
Once the identity provider has been updated, the system displays the message Identity provider <name of identity provider> updated.
-
Refresh the OpenID Connect metadata of the corporate identity provider.
The metadata is refreshed automatically if it is older than 24 hours and there are logons which forward the request to the corporate identity provider.
By choosing the Refresh Metadata button you manually refresh the OpenID Connect metadata of the coroprate identity provider. Do this if there is a need for that.
-
Select the configured identity provider as the authenticating identity provider for the application. For more information, see Choose Default Identity Provider for an Application.
-
(Optional) Configure the Subject Name Identifier Sent to the OpenID Connect Corporate IdP
Related Information
Edit Administrator Authorizations
Microsoft identity platform application authentication certificate credentials