The web application (or client application) requests the authorization code at the authorization endpoint. The login endpoint is used to call an advanced login window, which serves to determine the authorization code. The authentication module requires an access token from the token endpoint and the certificate is required to check the security token.
In the process, an attempt is made to find the certificate from the web application configuration. If this is not possible, the settings of the identity provider are used. To find the certificate for testing the token, the certificate stores are queries in the following order:
-
Configuration of the OAuth 2.0/OpenID Connect application (QBMIdentityClient table)
-
Certificate text (QBMIdentityClient.CertificateText).
-
Subject or thumbprint from the local memory (QBMIdentityClient.CertificateSubject and QBMIdentityClient.CertificateThumbPrint).
-
Certificate endpoint (QBMIdentityClient.CertificateEndpoint).
In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.
-
Configuration of the identity provider (QBMIdentityProvider table)
-
Certificate text ((QBMIdentityProvider.CertificateText).
-
Subject or thumbprint from the local memory (QBMIdentityProvider.CertificateSubject and QBMIdentityProvider.CertificateThumbPrint).
-
Certificate endpoint (QBMIdentityProvider.CertificateEndpoint)).
In addition, the subject or thumbprint is used to check certificates from the server if they are specified and do not exist locally on the server.
-
JSON-Web-Key endpoint (QBMIdentityProvider.JsonWebKeyEndpoint).
To identify the user account, the system determines which claim type is used to find the user information and which information from the One Identity Manager schema is used to find the user account.
Authentication through OpenID is built on OAuth 2.0. The OpenID Connect authentication uses the same mechanisms, but makes the claims available either in an ID token or with a UserInfo endpoint. Other configuration settings are required for using OpenID Connect. If the Scope contains the openid value, the authentication module uses OpenID Connect for authentication.
A wizard is provided for creating and customizing an OAuth 2.0/OpenID Connect configuration.
To create an OAuth 2.0/OpenID Connect configuration
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
Select the Create a new identity provider task.
-
On the start page of the wizard, click Next.
-
On the New identity provider page, enter the display name for the configuration and a description.
-
Click Next.
-
On the Automatic configuration discovery page, you define how you want to enter the information about the identity provider.
-
If the configuration data can be determined automatically by OpenID Connect Discovery:
-
Select Automatic configuration data discovery.
-
Enter the address (URL) for automatic determination of the configuration data in the input field, or select an example address via the drop-down button.
-
Click Run.
-
The configuration data is determined and a dialog window is displayed. To accept the configuration data, click OK.
-
If you want to create the configuration data from a template:
-
Select Create from template file.
-
Click Select and choose the XML file.
For the One Identity Redistributable STS (RSTS), the file is pre-configured. You can find the RSTS_Template.xml in the One Identity Manager installation directory.
-
Click Open.
-
If you do not want to determined the configuration data automatically, select Manual data input.
Enter the configuration data on the next page of the wizard.
-
Click Next.
-
On the Configuration data page, enter the general information for the database user.
NOTE: If you selected automatic determination of configuration data, some of the information is already completed.
Table 35: General configuration data for the identity provider
Login endpoint |
Uniform Resource Locator (URL) of the Secure Token Service login page.
Example: http://localhost/rsts/login |
Logout endpoint |
URL of the log-out endpoint
Example: http://localhost/rsts/login?wa=wsignout1.0 |
Token endpoint |
Uniform Resource Identifier (URL) of the token endpoint of the authorization server for returning the access token to the client for logging in.
Example: https://localhost/rsts/oauth2/token |
Issuer |
Uniform Resource Identifier (URI) of the certificate issuer for verifying the security token.
Example: urn:STS/identity |
Scope |
Protocol for authentication. If the value is openid, OpenID Connect is used for authentication, otherwise OAuth 2.0 is used. |
UserInfo endpoint |
URL of the OpenID Connect UserInfo endpoint. |
No ID token check |
Specifies whether a check is made of the ID token. If the option is enabled, the ID token is not checked. The option can only be enabled for a scope containing the value openid and a populated UserInfo endpoint. |
Self-signed certificates allowed |
Specifies whether self-signed certificates are allowed for connecting to the token endpoint and UserInfo endpoint. |
Shared Secret |
Shared-Secret value used for authentication at the token endpoint. If all applications of the identity provider use the same Shared Secret, enter the value here. If the applications use different Shared Secrets, enter the Shared Secret values when creating the applications. |
Requested authentication context class reference values |
Space-delimited string specifying the acr values that the authorization server ought to use to process this authentication request, with the values appearing in order of preference. |
-
Click Next.
-
On the Configure certificates page, enter the information for the identity provider's certificate. If all applications use the same certificate, enter the information here. If the applications use different certificate settings, enter the information when creating the application.
NOTE: If you selected automatic determination of configuration data, some of the information is already completed.
Table 36: Information about the identity provider certificate
Certificate endpoint |
Uniform Resource Locator (URL) of the certificate end point on the authorization server.
Example: https://localhost/RSTS/SigningCertificate |
Subject of the certificate |
Subject of the certificate used for verification. The subject or thumbprint must be set. |
Thumbprint |
Thumbprint of the certificate used to verify the security token. |
JSON-Web-Key endpoint |
URL of the JSON web key endpoint providing the token signing keys. |
Certificate |
Character string of the certificate content. It is used if no certificate is configured. |
-
Click Next.
-
On the Search rule for user information page, you define how the login information is determined between the identity provider and the One Identity Manager database.
Table 37: Determining the login information
Value for the search |
Full name of the claim type from which the login credentials are determined on the identity provider.
Example: name of an entity
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ nameidentifier
If you have determined the configuration data automatically, select a value from the list.
|
Column to search |
Table and column in the One Identity Manager database in which the user information is stored. The table must contain a foreign key with the name UID_Person, which points to the Person table.
Example: ADSAccount.ObjectGUID |
User name value |
Full name of the claim type from which the user name is determined on the identity provider. The user name is used, for example, to identify data changes in One Identity Manager (XUserInserted and XUserUpdated columns).
Example: User Principle Name (UPN)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
If you have determined the configuration data automatically, select a value from the list. |
Value to check |
Name of the claim type to be additionally checked. The claim type must appear under exactly this name in the token. The check ensures that only those people can log in whose token contains exactly the comparison value in the specified claim type. |
Comparison value |
Fixed value of the claim type specified under Value to check, against which is checked. |
-
Click Next.
-
On the Create OAuth 2.0/OpenID Connect applications page, enter the application information for the identity provider.
-
Click next to the Applications field.
To connect using RSTS, select RSTS client. Some of the information about the RSTS client application is already predefined.
-
On the General tab, enter the general information for the application.
Table 38: General information about the application
Display name |
Display name of the application. |
Description |
Text field for additional explanation. |
Client ID |
ID of the application on the identity provider. For client applications, enable the Default option.
Example: urn:OneIdentityManager/Web |
Shared Secret |
Application-specific Shared Secret value used for authentication at the token endpoint. |
Resource to request |
URN of the resource to be requested, for example for ADFS. Only required if the identity provider requires this value. |
Redirect URL |
Forwarding address for redirection of applications.
Example: urn:InstalledApplication |
Send post logout redirect URI |
Specifies the behavior of the client after logging off from the application. Permitted values are Send post logout redirect URI (default), Do not send a redirect URI, and Send a specific redirect URI. |
Post logout redirect URI |
URI sent after logging off from the application. |
Default |
Specifies whether this is a standard application for client applications. |
-
On the Certificate tab, enter the information for the application certificate.
Table 39: Information about the application certificate
Certificate endpoint |
Uniform Resource Locator (URL) of the certificate end point on the authorization server.
Example: https://localhost/RSTS/SigningCertificate |
Thumbprint |
Thumbprint of the certificate used to verify the security token. |
Subject of the certificate |
Subject of the certificate used for verification. The subject or thumbprint must be set. |
Certificate |
Content of the certificate. It is used if no certificate is configured. |
-
On the Authentication tab, enter the following information
Table 40: Information about the application certificate
Authentication method |
Authentication method at the token endpoint.
Permitted values are:
-
client_secret_basic (default value): HTTP basic authentication method. The Shared Secret is transferred in the HTTP header.
-
client_secret_post: The Shared Secret is transferred in the client_secret value of the POST-Body.
-
none: No authentication at the token endpoint.
-
client_secret_jwt: The Shared Secret is transferred as a JSON web token (JWT).
-
private_key_jwt: The Shared Secret is transferred as JWT. In addition, encryption is carried out with the private key. |
Token endpoint certificate |
Hexadecimal thumbprint of the certificate for validating the token. |
Requested authentication context class reference values |
Space-delimited string specifying the acr values that the authorization server ought to use to process this authentication request, with the values appearing in order of preference.
If no reference values are defined here, the reference values of the identity provider are used. |
-
To create the identity provider and the application in the One Identity Manager database, click Next.
-
Click Finish to complete the wizard.
To use the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules in One Identity Manager web applications, assign the OAuth2.0/OpenID Connect application to the web application.
To assign an OAuth2.0/OpenID Connect application to a web application
-
In the Designer, select the Base data > Security settings > Web server configurations category.
-
In List Editor, select the web application.
-
In the Properties edit view, assign the application in the OAuth2.0/OpenID Connect application selection list.
-
Select the Database > Save to database and click Save.
Use this task to display information about an OAuth 2.0/OpenID Connect configuration..
To display the configuration of an identity provider
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
In List Editor, select the identity provider. The configuration data is displayed on the following tabs in the edit view.
-
General: Displays the general configuration data of the identity provider.
-
Certificate: Shows the information about the identity provider certificate.
-
Applications: Displays the configuration of the OAuth 2.0/OpenID Connect applications.
-
Columns for enabling: Displays the table and the columns that identify a user account as activated.
-
Columns for disabling: Displays the table and the columns that identify a user account as deactivated.
To display the configuration of an OAuth 2.0/OpenID Connect application
-
In the Designer, select the Base data > Security settings > OAuth 2.0/OpenID Connect configuration category.
-
In List Editor, select the identity provider.
-
In the edit view, select the Applications tab.
-
To display the configuration of an application, select the OAuth 2.0/OpenID Connect application in the Application view.
NOTE:
Click on Add to add a new OAuth 2.0/OpenID Connect application to the configuration of the identity provider.
Click on Remove to remove an OAuth 2.0/OpenID Connect application that is no longer required from the configuration of the identity provider.