OIDC

Acts as an OpenID Connect Provider.

Introduction

Can be configured in multiple instances allowing for multi tenancy.

Acts as an OpenID Connect provider. It acts as a controller for issuing Json Web Tokens (JWT). Typically the configured authenticator is the first point of contact coming from an OpenID Connect Relying Party, requesting identification.

Fortified Integrity have achieved certifications for five OpenID Provider conformance profiles. Read more about these profiles here: https://openid.net/certification/

OpenID Connect Provider Configuration

Module name: OIDCModule

Name

Description

Default value

Mandatory

{
      "name": "OIDCModule",
      "enabled": true,
      "config":{
        "providers":[
            {
              "http_context" : "/oidc",
              "http_port" : 8080,
              "discovery_meta" : {
                  "issuer" : "http://192.168.50.228:8080/oidc/tenant1",
                  "authorization_endpoint" : "http://192.168.50.228:8080/test/authn/oidc",
                  "token_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/token-endpoint",
                  "userinfo_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/userinfo-endpoint",
                  "introspection_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/introspection-endpoint",
                  "jwks_uri" : "http://192.168.50.228:8080/oidc/tenant1/.well-known/openid-configuration/jwks",
                  "end_session_endpoint" : "http://192.168.50.228:8080/test/authn/oidc/logout",
                  "scopes_supported" : [ "openid" ],
                  "response_types_supported" : [ "code" ],
                  "grant_types_supported" : [ "authorization_code" ],
                  "subject_types_supported" : [ "public" ],
                  "id_token_signing_alg_values_supported" : [ "RS256" ],
                  "token_endpoint_auth_methods_supported" : [ "client_secret_post", "client_secret_basic" ],
                  "claims_supported" : [ "iss", "ver", "sub", "given_name", "family_name" ],
                  "request_parameter_supported" : true
              },
              "tenant_op_path" : "/tenant1",
              "keystore" : {
                    "path" : "/fortified_test/keystore.p12",
                    "password" : "secret",
                    "type" : "PKCS12"
              },
              "sign_jwt_keystore_password" : "secret",
              "sign_jwt_keystore_alias" : "jwt",
              "rps" : [{
                    "client_id" : "provided",
                    "client_secret" : "provided",
                    "pipe_id":"optional_pipe_id",
                    "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
                    "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
              }]
        }]
      }
}

Relying party Configuration

"rps" : [
    {
        "client_id" : "provided_1",
        "client_secret" : "provided_1",
        "pipe_id":"optional_pipe_id_1",
        "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
        "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
    },
    {
        "client_id" : "provided_2",
        "client_secret" : "provided_2",
        "pipe_id":"optional_pipe_id_2",
        "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
        "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
    }
]

PreviousSAMLModule NextOpenID Configuration endpoint

Introduction

Can be configured in multiple instances allowing for multi tenancy.

Fortified Integrity have achieved certifications for five OpenID Provider conformance profiles. Read more about these profiles here: https://openid.net/certification/

OpenID Connect Provider Configuration

Module name: OIDCModule

Name

Description

Default value

Mandatory

{
      "name": "OIDCModule",
      "enabled": true,
      "config":{
        "providers":[
            {
              "http_context" : "/oidc",
              "http_port" : 8080,
              "discovery_meta" : {
                  "issuer" : "http://192.168.50.228:8080/oidc/tenant1",
                  "authorization_endpoint" : "http://192.168.50.228:8080/test/authn/oidc",
                  "token_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/token-endpoint",
                  "userinfo_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/userinfo-endpoint",
                  "introspection_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/introspection-endpoint",
                  "jwks_uri" : "http://192.168.50.228:8080/oidc/tenant1/.well-known/openid-configuration/jwks",
                  "end_session_endpoint" : "http://192.168.50.228:8080/test/authn/oidc/logout",
                  "scopes_supported" : [ "openid" ],
                  "response_types_supported" : [ "code" ],
                  "grant_types_supported" : [ "authorization_code" ],
                  "subject_types_supported" : [ "public" ],
                  "id_token_signing_alg_values_supported" : [ "RS256" ],
                  "token_endpoint_auth_methods_supported" : [ "client_secret_post", "client_secret_basic" ],
                  "claims_supported" : [ "iss", "ver", "sub", "given_name", "family_name" ],
                  "request_parameter_supported" : true
              },
              "tenant_op_path" : "/tenant1",
              "keystore" : {
                    "path" : "/fortified_test/keystore.p12",
                    "password" : "secret",
                    "type" : "PKCS12"
              },
              "sign_jwt_keystore_password" : "secret",
              "sign_jwt_keystore_alias" : "jwt",
              "rps" : [{
                    "client_id" : "provided",
                    "client_secret" : "provided",
                    "pipe_id":"optional_pipe_id",
                    "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
                    "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
              }]
        }]
      }
}

Relying party Configuration

Name

Description

Default value

Mandatory

"rps" : [
    {
        "client_id" : "provided_1",
        "client_secret" : "provided_1",
        "pipe_id":"optional_pipe_id_1",
        "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
        "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
    },
    {
        "client_id" : "provided_2",
        "client_secret" : "provided_2",
        "pipe_id":"optional_pipe_id_2",
        "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
        "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
    }
]