Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage applications >
  3. Integrate OIDC and OAuth Cloud applications >
  4. Integrate a generic OIDC and OAuth Native application

 

Integrate a generic OIDC and OAuth Native application

You can configure access to custom OpenID Connect (OIDC) applications by integrating a generic OIDC Native application with Identity as a Service. A Native application is a client application that cannot communicate securely with Identity as a Service using a client secret in order to obtain various tokens. Tokens are returned directly to the Native application (possibly through an Operating System specific in-app view controller or a system browser).

Before you begin, complete the following:

 Identify the attributes that Identity as a Service must contain to establish a connection between Identity as a Service and the OIDC application.

Configure the account settings of your application to accept authentication attempts from your Identity as a Service account. 

Step 1: Add a generic Native application and configure the General settingsStep 1: Add a generic Native application and configure the General settings

Log in to an Identity as a Service account with a role assigned that allows you to configure applications on Identity as a Service.

Click > Security > Applications. The Applications List page appears.

Click Add. The Select an Application Template page appears.

Do one of the following:

Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

Click Generic Native Application. The Add Generic Native Application page appears.

Configure the following App Settings:

Enter the Application Name.

 Enter the Application Description.

Configure the OIDC Settings.

Select the Grant Types Supported that your application uses to access OIDC authentication through Identity as a Service.

The grant type tells Identity as a Service what flow to use to return authentication/authorization responses and grant request responses. You can select more than one grant type.

Device Code is selected by default. Optionally, select Refresh Token to obtain a new access token and refresh token for a valid refresh token.

From the Authorization Code PKCE Code Challenge drop-down list, select the Proof Key for Code Exchange (PKCE) code challenge that must be used by clients to authenticate to the Authorization Server when an Authorization Code grant type is used.

Set the User Info Access Token Timeout to the time (in minutes) that the access token is valid before it expires.

Set the User Info Access Token Limit to the time (in minutes) that the access token is valid before it expires.

The Client ID is generated when you create the application on Identity as a Service. You cannot modify the Client ID.

Select the Token / Revocation Endpoint Client Authentication Method from the drop-down list. When using the token or revocation endpoint, clients use this authentication method to authenticate to the Authorization Server.

Copy the Client Secret value. You can then paste the Client Secret value into the required field of your client OIDC application account settings.

Note: You can define your own Client Secret value. However, Entrust recommends that you use the strong secret value provided. You can also optionally view or regenerate a new client secret.

From the drop-down list, select the Subject ID Attribute that corresponds with the user attribute.

The Subject ID Attribute can be the user name or the Federation ID listed in the application account details on the OIDC application. This attribute links Identity as a Service to the client OIDC application account.

Select the OIDC Signing Certificate used to connect to the Service Provider.

Click Add to add a Login Redirect URI.

The  URI is the location a user is redirected to after being provided or denied access to the application. The value can be a URL, and you can add more than one value.

Note: The login redirect URI hostname is added as a valid CORS origin for OIDC processing.

Click Add to add a Logout Redirect URI.

The URI is the location a user is redirected to after being logged out from a client application. The value can be a URL, and you can add more than one value. In order to be redirected back to the client application, the logout call by the client application must include the following parameters:

The client_id value (or alternatively id_token_hint value that identifies the client id in the aud claim of the supplied id_token).

The post_logout_redirect_uri value (or redirect_uri value) that is configured as one of the Logout Redirect URIs.

Optional. Select The user will be prompted for consent during authentication to prompt users for consent during authentication.

Optional. Enter a Consent Message to include a message to users when consent is requested.

Optional. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to re-authenticate during a new login attempt. Leave this field blank to disable this feature.

Select the Supported Scopes.

A scope is a group of claims required for a connection between Identity as a Service and the OIDC application. Scopes are requested by the client during an authorization request. You can select more than one scope.

Your unique identifier (selected by default). If disabled, the OIDC application is strictly using an access token that can be used to access a resource server API on behalf of a user.

Address

Email address

Telephone number

Profile information

 Note: Click the arrow next to each scope to see the list of Implied Claims included in the scope. The list of Implied Claims is defined by OpenID Connect and cannot be modified.

Every Implied Claim included in the scopes you select under Supported Scopes should have an associated Identity as a Service user attribute so that the attribute is returned as part of the OIDC tokens sent back to the client. For example, if you select Address as a Supported Scope, then you must define an Identity as a Service user attribute for each Implied Claim associated with Address. See Add a user attribute.

Click Show Advanced Settings to configure advanced settings.

Select Enable Organizations and Domain-Based Identity Providers to allow organization information to be returned in OIDC claim values when users log in. When enabled, if users are associated with more than one organization and an organization has not been requested, users can select their organizations after they authenticate to their application.

Note: When organizations are enabled, the corresponding OIDC claims must also be configured.

Enter the Default Resource/Audience Request Value to include this value as the resource or audience parameter for every authorization request.

Select Include authentication time with all ID tokens to include the authentication time with all tokens.

From the ID Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the ID tokens during authentication.

Set the ID Token Timeout to the time (in minutes) that the ID token is valid before it expires.

From the User Info Signing Algorithm drop-down list, select the signing algorithm used to sign the user info data during authentication.

Set the User Info Access Token Timeout to the time (in minutes) that the access token is valid before it expires.

Click Save.

Note: After configuring the General settings, Claims, Customization and Resource Rule tabs appear.

Proceed to Step 2: Configure Claims.

Step 2: Configure ClaimsStep 2: Configure Claims

Step 3: Configure CustomizationsStep 3: Configure Customizations

Step 4: Configure a resource ruleStep 4: Configure a resource rule

Step 5: Optionally, add a resource serverStep 5: Optionally, add a resource server