Integrate a generic OIDC and OAuth Web application

1.      Log in to an Identity as a Service account with a role assigned that allows you to configure applications on Identity as a Service.

2.      Click > Security > Applications. The Applications List page appears.

3.      Click Add. The Select an Application Template page appears.

4.      Do one of the following:

●       Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

●       In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

5.      Click Generic Web Application. The Add Generic Web Application page appears.

6.      Configure the following App Settings:

a.      Enter the Application Name.

b.       Enter the Application Description.

7.      Configure the OIDC Settings.

a.      Select the Grant Types Supported that your application uses to access OIDC authentication through Identity as a Service.

The grant type tells Identity as a Service what flow to use to return authentication/authorization responses and grant request responses. You can select more than one grant type.

Grant Types Supported options include:

–  Authorization CodeID Tokens, Access Tokens, and Refresh Tokens obtained by the client application from the Identity as a Service OpenID Provider are passed by reference. The client application communicates directly with Identity as a Service to obtain these  tokens. The supported response type is  Code.

–  Implicit ID Tokens and Access Tokens obtained by the client application from the Identity as a Service OpenID Provider are passed by value. The tokens are sent back directly to the application as part of the response to the authorization request. Supported request types are id_token and id_token token.

–  None (OIDC No Flow)This is typically used for OIDC test purposes. No OIDC tokens are sent back as part of the authorization request response.

–  JWT IDaaSAn authentication API-based grant type to obtain ID, Access, and Refresh Tokens. API calls are used to acquire these tokens.

–  Client CredentialsA client credentials grant request is used to obtain a server-to-server access token that can be used with Resource Server APIs.

–  Refresh TokenA refresh token grant request is used to obtain a new access token and refresh token for a valid refresh token.

b.      From the Authorization Code PKCE Code Challenge drop-down list, select the Proof Key for Code Exchange (PKCE) code challenge that must be used by clients to authenticate to the Authorization Server when an Authorization Code grant type is used.

c.      The Client ID is generated when you create the application on Identity as a Service. You cannot modify the Client ID.

d.      Select the Token / Revocation Endpoint Client Authentication Method from the drop-down list. When using the token or revocation endpoint, clients use this authentication method to authenticate to the Authorization Server.

e.      Copy the Client Secret value. You can then paste the Client Secret value into the required field of your client OIDC application account settings.

Note: You can define your own Client Secret value. However, Entrust recommends that you use the strong secret value provided. You can also optionally view or regenerate a new client secret.

f.        From the drop-down list, select the Subject ID Attribute that corresponds with the user attribute.

The Subject ID Attribute can be the user name or the Federation ID listed in the application account details on the OIDC application. This attribute links Identity as a Service to the client OIDC application account.

g.      Select the OIDC Signing Certificate used to connect to the Service Provider.

h.      Click Add to add a Login Redirect URI.

The  URI is the location a user is redirected to after being provided or denied access to the application. The value can be a URL, and you can add more than one value.

Note: The login redirect URI hostname is added as a valid CORS origin for OIDC processing.

i.        Click Add to add a Logout Redirect URI.

The URI is the location a user is redirected to after being logged out from a client application. The value can be a URL, and you can add more than one value. In order to be redirected back to the client application, the logout call by the client application must include the following parameters:

–  The client_id value (or alternatively id_token_hint value that identifies the client id in the aud claim of the supplied id_token).

–  The post_logout_redirect_uri value (or redirect_uri value) that is configured as one of the Logout Redirect URIs.

j.        Optional. Select The user will be prompted for consent during authentication to prompt users for consent during authentication.

k.      Optional. Enter a Consent Message to include a message to users when consent is requested.

l.        Optional. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to re-authenticate during a new login attempt. Leave this field blank to disable this feature.

8.      Select the Supported Scopes.

A scope is a group of claims required for a connection between Identity as a Service and the OIDC application. Scopes are requested by the client during an authorization request. You can select more than one scope.

●       Your unique identifier (selected by default). If disabled, the OIDC application is strictly using an access token that can be used to access a resource server API on behalf of a user.

●       Address

●       Email address

●       Telephone number

●       Profile information

 Note: Click the arrow next to each scope to see the list of Implied Claims included in the scope. The list of Implied Claims is defined by OpenID Connect and cannot be modified.

Every Implied Claim included in the scopes you select under Supported Scopes should have an associated Identity as a Service user attribute so that the attribute is returned as part of the OIDC tokens sent back to the client. For example, if you select Address as a Supported Scope, then you must define an Identity as a Service user attribute for each Implied Claim associated with Address. See Add a user attribute.

9.      Click Show Advanced Settings to configure advanced settings.

a.      Select Enable Organizations and Domain-Based Identity Providers to allow organization information to be returned in OIDC claim values when users log in. When enabled, if users are associated with more than one organization and an organization has not been requested, users can select their organizations after they authenticate to their application.

Note: When organizations are enabled, the corresponding OIDC claims must also be configured.

a.      Enter the Default Resource/Audience Request Value to include this value as the resource or audience parameter for every authorization request.

b.      Select Include authentication time with all ID tokens to include the authentication time with all tokens.

c.      From the ID Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the ID tokens during authentication.

d.      Set the ID Token Timeout to the time (in minutes) that the ID token is valid before it expires.

e.      From the User Info Signing Algorithm drop-down list, select the signing algorithm used to sign the user info data during authentication.

f.        Set the User Info Access Token Timeout to the time (in minutes) that the access token is valid before it expires.

10.  Click Save.

Note: After configuring the General settings, Claims, Customization and Resource Rule tabs appear.

11.  Proceed to Step 2: Configure Claims.

1.      Click the Claims tab. The Claims page appears.

If required, add Supported Claims to map OIDC claims to Identity as a Service user attributes and related user information.

The supported claims define the claims that the client requests during an authorization request or claims that are returned automatically by IDaaS. A claim value can be derived based on a  user attribute, for example, <FirstName>. A claim value can also be derived based on a user related attribute, for example, [Groups]. The required claims depend on the OIDC application that you are configuring Identity as a Service.

The default claims are

●       email

●       family_name

●       given_name

●       name

●       phone_number

You can group claims, for example, the default claim, name, includes the user attribute First Name, a text-based value of a space and the user attribute value of Last Name so that the claim returned to the client is First Name <space> Last Name, for example Alice Gray.

2.      To add a claim:

a.      Ensure that you have already created the required User Attributes in Identity as a Service (see Create and manage user attributes).

a.      Click . The Add Claim dialog box appears.

b.       

c.      In the Claim Name field, do one of the following:

i)        Select the Claim Name from the drop-down list.

-OR-

ii)      Type a Claim Name to create a new custom claim.

d.      In the Enter the Claim value expected by the Service Provider field, enter the following, as required:

–  User Attribute Value—An Identity as a Service user attribute (see Create and manage user attributes).

–  Text-Based Value—A text-based value. For example, to add a space between two claims or add text information.

–  Related Value—Include user group or authenticator attributes. See Configure OIDC claim to include user authenticators or groups.

Example:  some text <first Name> <Last Name> [Groups]

e.      Select Always Return with User Info to always return the user information with the claim.

f.        Select Always Return with ID Token to always return the ID Token with the claim.

g.      Click Add.

Note: If required, click next to the claim and make the required changes. Click to delete a claim.

3.      Click Save.

4.      Proceed to Step 3: Configure Customizations.

1.      Click the Customization tab. The Customization page appears.

2.      Deselect Enable Go Back Button if you do not want users to be able to go back to the application login page to log in.

3.      Optional: Select Respond Immediately for Unsuccessful Responses to return to the application immediately after a login failure, rather than allow user to try again with a different userID.

4.      Optional: Deselect Show Login Redirect URL in My Profile to hide the application from a user's profile.

5.      Optional. Add a custom application logo, as follows:

a.      Click next to Application Logo. The Upload Logo dialog box appears.

b.      Click to select an image file to upload.

c.      Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.

d.      If required, resize your image.

e.      Click OK.

6.      Select the Authentication Flow that appears to users during login. You must select at least one. For more information on Passkey log in, see Manage Passkey/FIDO2 authenticators.

7.      Click Save.

8.      Proceed to Step 4: Configure a resource rule.