Step
1: Add a generic Device application and configure the General settings
You can configure access to custom OpenID Connect (OIDC) device applications by integrating a generic OIDC Device application (SPA) on Identity as a Service. A device application is a client application that runs on an input-constrained or browserless device (for example, a TV set top box, a picture frame, or a printer). In order to obtain authorization to access resources on the user's behalf (for example, access to movies or photos), the user authentication and authorization does not occur on the device, but rather on a separate user-controlled computer or mobile device based on a supplied URL and user code. After the user completes the authentication, the device application is able to acquire the required tokens to access the resource on the user's behalf.
Before you begin, complete the following:
● Identify the attributes that Identity as a Service must contain to establish a connection between Identity as a Service and the OIDC application.
● Configure the account settings of your application to accept authentication attempts from your Identity as a Service account.
Step
1: Add a generic Device application and configure the General settings1. Log in to an Identity as a Service account with a role assigned that allows you to configure applications on Identity as a Service.
2. Click
> Security > Applications. The Applications
List page appears.
3. Click Add. The Select an Application Template page appears.
4. Do one of the following:
● Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
- or -
● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
5. Click Generic Device Application. The Add Generic Device Application page appears.
6. Configure the following App Settings:
a. Enter the Application Name.
b. Enter the Application Description.
7. Configure the OIDC Settings.
a. Select the Grant Types Supported that your application uses to access OIDC authentication through Identity as a Service.
The grant type tells Identity as a Service what flow to use to return authentication/authorization responses and grant request responses. You can select more than one grant type.
Device Code is selected by default. Optionally, select Refresh Token to obtain a new access token and refresh token for a valid refresh token.
b. The Client ID is generated when you create the application on Identity as a Service. You cannot modify the Client ID.
c. From the drop-down list, select the Subject ID Attribute that corresponds with the user attribute.
The Subject ID Attribute can be the user name or the Federation ID listed in the application account details on the OIDC application. This attribute links Identity as a Service to the client OIDC application account.
d. Select the OIDC Signing Certificate used to connect to the Service Provider.
e. Click Add to add a CORS Origin.
The origin defines the URL hostname from which a device application can be initiated. The value should be a URL with a only a hostname and optional port specified. You can add more than one value.
f. Optional. Enter a Consent Message to include a message to users when consent is requested.
g. Optional. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to re-authenticate during a new login attempt. Leave this field blank to disable this feature.
h. Select User Code Character Set to either include either alpha values or a combination of alpha and numeric values in the user code provided to the user.
i. Enter the User Code Mask to set how the user code is returned to the user. Use an asterisk (*) to represent the user code value and a dash as a separator.
Example: Enter **-**-**-** to return a code such as B3-CD-1F-GH.
j. Set the Device Code Timeout in seconds) to set the amount of time in seconds before the Device Code expires.
8. Select the Supported Scopes.
A scope is a group of claims required for a connection between Identity as a Service and the OIDC application. Scopes are requested by the client during an authorization request. You can select more than one scope.
● Your unique identifier (selected by default). If disabled, the OIDC application is strictly using an access token that can be used to access a resource server API on behalf of a user.
● Address
● Email address
● Telephone number
● Profile information
Note:
Click the arrow next to each scope to see the list of Implied
Claims included in the scope. The list of Implied
Claims is defined by OpenID Connect and cannot be modified.
Every Implied Claim included in the scopes you select under Supported
Scopes should have an associated
Identity as a Service
user attribute so that the attribute is returned as part of the OIDC
tokens sent back to the client. For example, if you select Address
as a Supported Scope, then you must define an Identity as a Service
user attribute for each Implied Claim associated
with Address. See Add
a user attribute.
9. Click Show Advanced Settings to configure the advanced settings.
a. Select Enable Organizations and Domain-Based Identity Providers to allow organization information to be returned in OIDC claim values when users log in. When enabled, if users are associated with more than one organization and an organization has not been requested, users can select their organizations after they authenticate to their application.
Note: When organizations are enabled, the corresponding OIDC claims must also be configured.
a. Enter the Default Resource/Audience Request Value to include this value as the resource or audience parameter for every authorization request.
b. Select Include authentication time with all ID tokens to include the authentication time with all tokens.
c. From the ID Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the ID tokens during authentication.
d. Set the ID Token Timeout to the time (in minutes) that the ID token is valid before it expires.
e. From the User Info Signing Algorithm drop-down list, select the signing algorithm used to sign the user info data during authentication.
f. Set the User Info Access Token Timeout to the time (in minutes) that the access token is valid before it expires.
10. Click Save.
Note: After configuring the General settings, Claims, Customization and Resource Rule tabs appear.
11. Proceed to Step 2: Configure Claims.
Step 2: Configure
Claims1. Click the Claims tab. The Claims page appears.
If required, add Supported Claims to map OIDC claims to Identity as a Service user attributes and related user information.
The supported claims define the claims that the client requests during an authorization request or claims that are returned automatically by IDaaS. A claim value can be derived based on a user attribute, for example, <FirstName>. A claim value can also be derived based on a user related attribute, for example, [Groups]. The required claims depend on the OIDC application that you are configuring Identity as a Service.
The default claims are
● family_name
● given_name
● name
● phone_number
You can group claims, for example, the default claim, name, includes the user attribute First Name, a text-based value of a space and the user attribute value of Last Name so that the claim returned to the client is First Name <space> Last Name, for example Alice Gray.
2. To add a claim:
a. Ensure that you have already created the required User Attributes in Identity as a Service (see Create and manage user attributes).
a. Click 
.
The Add Claim dialog box appears.
b.
c. In the Claim Name field, do one of the following:
i) Select the Claim Name from the drop-down list.
-OR-
ii) Type a Claim Name to create a new custom claim.
d. In the Enter the Claim value expected by the Service Provider field, enter the following, as required:
– User Attribute Value—An Identity as a Service user attribute (see Create and manage user attributes).
– Text-Based Value—A text-based value. For example, to add a space between two claims or add text information.
– Related Value—Include user group or authenticator attributes. See Configure OIDC claim to include user authenticators or groups.
Example: some text <first Name> <Last Name> [Groups]
e. Select Always Return with User Info to always return the user information with the claim.
f. Select Always Return with ID Token to always return the ID Token with the claim.
g. Click Add.
Note: If
required, click 
next to the claim and make the
required changes. Click 
to delete a claim.
3. Click Save.
4. Proceed to Step 3: Configure Customizations.
Step 3: Configure
Customizations1. Click the Customization tab. The Customization page appears.
2. Optional. Add a custom application logo, as follows:
a. Click 
next
to Application Logo. The Upload Logo dialog
box appears.
b. Click 
to select
an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
d. If required, resize your image.
e. Click OK.
3. Select the Authentication Flow that appears to users during login. You must select at least one. For more information on Passkey log in, see Manage Passkey/FIDO2 authenticators.
4. Click Save.
5. Proceed to Step 4: Configure a resource rule.