OIDC Relying Party
Note: There are two sections related to the OIDC Relying Party. This section describes when Fortified ID Access acts as an OIDC Relying Party (RP). If you are looking for information about when Access acts as an OIDC OpenID Provider (OP), click the following link.
Configuration
Common Authenticator configuration can be found here.
discovery_metadata_url
URL to the external OP.
N/A
internal_http_destination
ID of the internal http client used to communicate with the external OP.
N/A
custom_identifier
Custom identifier to be set inte the event logging entry
N/A
client_id
Client id used when communicating with the OP.
N/A
client_secret
Client secret used when communicating with the OP token endpoint.
N/A
redirect_uri
Redirect URI used when communicating with the OP.
N/A
scope
OIDC scope used when communicating with the OP.
"openid"
enable_user_info_lookup
If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata)
true
jwt_subject_parameter
JWT parameter used as
subject/username.
"sub"
use_raw_claims
If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified".
false
id_token_header_prefix
Prefix to use for the id_token header claims.
""
id_token_payload_prefix
Prefix to use for the id_token payload claims.
""
userinfo_prefix
Prefix to use for the userinfo claims.
""
disable_nonce
Disables sending nonce as part of the requests.
false
{
"id": "oidc_rp",
"type": "OIDCRP",
"config": {
"base_path": "/oidcrp/authn",
"custom_identifier": "fortifiedid",
"discovery_metadata_url": "https://192.168.50.228/oidc/mycompany/.well-known/openid-configuration",
"internal_http_destination": "oidcrp_httpclient",
"client_id": "my_client_id",
"client_secret": "my_client_secret",
"redirect_uri": "http://127.0.0.1:8080/oidcrp/authn/oidc_rp",
"jwt_subject_parameter": "given_name"
}
}Logging
On a successful authentication, an event is logged containing the following:
WEB_100021
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (issuer from metadata)
SOURCE_USER_NAME (
jwt_subject_parameterfrom any of the claims)SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (
custom_identifierif configured)
Data exposed to global state
After successful validation, data stored in the global state are:
id_token header claims
id_token payload claims
userinfo claims
Last updated