Integrate a generic OIDC and OAuth Embedded application

You can configure an OpenID Connect (OIDC) IDaaS JWT Grant application type by integrating a generic OIDC and OAuth Embedded application with Identity as a Service.A Generic Embedded application provides a custom self-hosted login interface that authenticates users within the application itself while still relying on an OpenID Connect provider to issue standards-compliant tokens.

Before you begin, complete the following:

Identify the attributes that Identity as a Service must contain to establish a connection between Identity as a Service and the OIDC application.

Configure the account settings of your application to accept authentication attempts from your Identity as a Service account.

Step 1: Add a generic Embedded application and configure the General settingsStep 1: Add a generic Embedded application and configure the General settings

Log in to an Identity as a Service account with a role assigned that allows you to configure applications on Identity as a Service.

Click > Security > Applications. The Applications List page appears.

Click Add. The Select an Application Template page appears.

Do one of the following:

Select OpenID Connect and OAuth Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

Click Generic Embeded Application. The Add Generic Embedded Application page appears.

Configure the following App Settings:

Enter the Application Name.

Enter the Application Description.

Configure the OIDC Settings.

The Client ID is generated when you create the application on Identity as a Service. You cannot modify the Client ID.

Select the Token / Revocation Endpoint Client Authentication Method from the drop-down list. When using the token or revocation endpoint, clients use this authentication method to authenticate to the Authorization Server.

Optional. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to re-authenticate during a new login attempt. Leave this field blank to disable this feature.

Select the OIDC Signing Certificate used to connect to the Service Provider.

Click Add to add the Allowed Origins the application can use to send requests to the Authorization Server.

The Supported Grant Type is selected by default.

Optional. Select the JWT IDaaS PKCD Code Challenge Method that is used by clients to authenticate to the Authorization Server when a JWT grant is used.

Select the Subject ID Attribute that is included in the ID token and access token to identify the authenticated user.

Select the Supported Scopes.

A scope is a group of claims required for a connection between Identity as a Service and the OIDC application. Scopes are requested by the client during an authorization request. You can select more than one scope.

Your unique identifier (selected by default). If disabled, the OIDC application is strictly using an access token that can be used to access a resource server API on behalf of a user.

Address

Email address

Telephone number

Profile information

Note: Click the arrow next to each scope to see the list of Implied Claims included in the scope. The list of Implied Claims is defined by OpenID Connect and cannot be modified.

Every Implied Claim included in the scopes you select under Supported Scopes should have an associated Identity as a Service user attribute so that the attribute is returned as part of the OIDC tokens sent back to the client. For example, if you select Address as a Supported Scope, then you must define an Identity as a Service user attribute for each Implied Claim associated with Address. See Add a user attribute.

Click Show Advanced Settings to configure advanced settings.

Select Enable Organizations to allow organization information to be returned in OIDC claim values when users log in. When enabled, if users are associated with more than one organization and an organization has not been requested, users can select their organizations after they authenticate to their application.

Note: When organizations are enabled, the corresponding OIDC claims must also be configured.

Enter the Default Resource/Audience Request Value to include this value as the resource or audience parameter for every authorization request.

Select Include Authentication Time to include the authentication time with all tokens.

From the ID Token Signing Algorithm drop-down list, select the signing algorithm that is used to sign the ID tokens during authentication.

Set the ID Token Timeout to the length of time (in minutes) that the ID token is valid before it expires and a user must reauthenticate or use a refresh token to obtain a new ID token.

From the UserInfo Signing Algorithm drop-down list, select the signing algorithm used to sign the user info data during authentication.

Set the User Info Access Token Timeout to the length of time (in minutes) that the access token is valid before it expires and a

Set the UserInfo Access Token Timeout to the length of time (in minutes) that the access token is valid to retrieve user information before it expires and a user must reauthenticate or use a refresh token to obtain a new access token.

Click Save.

Note: After configuring the General settings, Claims, Resource Rule, and Resource Server tabs appear.

Proceed to Step 2: Configure Claims.

Step 2: Configure ClaimsStep 2: Configure Claims

Click the Claims tab. The Claims page appears.

If required, add Supported Claims to map OIDC claims to Identity as a Service user attributes and related user information.

The supported claims define the claims that the client requests during an authorization request or claims that are returned automatically by IDaaS. A claim value can be derived based on a user attribute, for example, <FirstName>. A claim value can also be derived based on a user related attribute, for example, [Groups]. The required claims depend on the OIDC application that you are configuring Identity as a Service.

The default claims are

family_name

given_name

name

phone_number

You can group claims, for example, the default claim, name, includes the user attribute First Name, a text-based value of a space and the user attribute value of Last Name so that the claim returned to the client is First Name <space> Last Name, for example Alice Gray.

To add a claim:

Ensure that you have already created the required User Attributes in Identity as a Service (see Create and manage user attributes).

Click . The Add Claim dialog box appears.

In the Claim Name field, do one of the following:

Select the Claim Name from the drop-down list.
Type a Claim Name to create a new custom claim.

In the Enter the Claim value expected by the Service Provider field, enter the following, as required:

User Attribute Value—An Identity as a Service user attribute (see Create and manage user attributes).

Text-Based Value—A text-based value. For example, to add a space between two claims or add text information.

Related Value—Include user group or authenticator attributes. See Configure OIDC claim to include user authenticators or groups.

Example: some text <first Name> <Last Name> [Groups]

Select Always Return with User Info to always return the user information with the claim.

Select Always Return with ID Token to always return the ID Token with the claim.

Click Add.

Note: If required, click next to the claim and make the required changes. Click to delete a claim.

Click Save.

Proceed to Step 3: Configure Customizations.

Step 3: Configure a resource ruleStep 3: Configure a resource rule

See Create and manage resource rules.

Step 4: Optionally, add a resource serverStep 4: Optionally, add a resource server

Click the Resource Servers tab.

Click Add Resource Server.

Follow the instructions in Add an API/URL resource server.