OIDC client config details
17.7.3.2. Airlock IAM as OIDC client configuration

The instruction-lists in this chapter apply to the Loginapp REST API only.

Procedure-related prerequisites

  • The previously described configuration steps have been carried out.
  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
  • The credentials for the connection to the remote authorization server must be available.

Basic Settings

  • 1.
    Go to and if necessary create:
     
    Loginapp OAuth 2.0/OIDC Clients OIDC Flow Client
  • 2.
    Provider identifier must hold the identifier of the remote authorization server
  • 3.
    Client ID holds the identifier which Airlock IAM uses as a client at the remote authorization server
  • 4.
    Client Secret is a string generated by the remote authorization server during registration of Airlock IAM as a client. This string is used like a password.
  • Airlock IAM can successfully connect to the OIDC REST endpoints of the remote authorization server

To retain existing account links when migrating from JSP-Loginapp to Login REST UI, it is possible to configure the OAuth 2.0 or OIDC client settings with the identical Provider Identifier.

It is important that the configuration of the OAuth 2.0 or OIDC client settings for both providers are configured identically to ensure that all account links connect to the same remote authorization server for authentication.

Authorization Request

  • 1.
    Authorization Endpoint URL must hold the URL of the authorize endpoint of the remote authorization server. if the remote authorization server supports the metadata endpoint this URL is pulished there.
  • 2.
    Claims to Request configure a list of claims that the remote authorization server should be able to supply. The remote authorization server may omit claims that are not marked essential. If the remote authorization server cannot supply all essential claims, the authorization code flow will fail.
  • 3.
    ACR Values Claim configures an Authentication Context Class Reference (ACR) to be requested from the external authorization server and configure validators to ensure the requested ACR has been met.
  • 4.
    Include Nonce configure if OIDC replay attack mitigation is enabled. It is recommended to enable this option.
  • 5.
    Include Language Parameter configure if the client should request the language parameter from the browser and propagate it to the remote authorization server.
  • 6.
    Max Authentication Age configure the maximum age of the authenticated session at the remote authorization server.
  • 7.
    Send Prompt Parameter configure if user interaction at the remote authorization server is mandatory, optional or prohibited.
  • 8.
    Scope To Request contains a list of all scopes the remote authorization server should supply.
  • 9.
    Client Redirect URI is used by the remote authorization server after successful authentication of the user to deliver the authorization code. Choose a plugin from the following table:
  • Plugin
    Redirect URI properties
    OAuth 2.0 REST UI Client Redirect URI
    This is the default setting.
    It contains the external base URL of IAM as it must be used by the remote authorization server.
    IAM will complete the base URL with the correct path for the client.
    OAuth 2.0 Custom Client Endpoint Redirect URI
    Use this setting to hardcode an absolute URL to be used by the remote authorization server.
    OAuth 2.0 Legacy Client Endpoint Redirect URI
    Use this setting for backward compatibility, if the remote authorization server configuration cannot be changed.
    It contains the external base URL of IAM as it must be used by the remote authorization server.
    IAM will complete the base URL with the correct legacy path for the client.
    This plugin requires that the Legacy Client Endpoint Setting in the OAuth 2.0/OIDC Client plugin is configured.
    OAuth 2.0 No Redirect URI
    Use this plugin, if the remote authorization server should default to the already registered redirect URI.
  • Airlock IAM can successfully start the authorize call and receive an authorization code.

Access Token Request

  • 1.
    HTTP Client must hold a HTTP Client Config plugin that configures the http connection to the remote authorization server.
  • 2.
    Token Endpoint Authentication contains the method, how IAM as a client will authenticate to the remote authorization server. The following methods are supported:
  • Plugin
    Authentication Method
    OAuth 2.0 Basic Auth Client Secret
    Basic Auth ist used to supply credentials.
    OAuth 2.0 Header Client Secret
    Use this method, if the remote authorization server requires a special header or format to be used.
    OAuth 2.0 No Client Secret Authentication
    This will omit authentication with the remote authorization server.
    OAuth 2.0 Parameter Client Secret
    Use this method, if the remote authorization server requires the credentials to be supplied as parameters in the request URL.
  • 3.
    Token Endpoint URL configures the token endpoint of the remote authorization server, where the authorization code is supplied and access and refresh tokens are obtained.
  • 4.
    Access Token Request Method defines how the request for access and refresh tokens is to be sent to the remote authorization server.
  • Airlock IAM can request access and refresh token from the remote authorization server.

ID Token

  • 1.
    Signature Validator configure a plugin to validate the signature
  • 2.
    Custom Issuer Claim configure this option, if the external authorization server does not follow the standard for issuer claims.
  • 3.
    Audience Claim Validation Method configure how the audience claim is to be validated.
  • 4.
    Custom Audience Claim configure this option, if the external authorization server does not follow the standard for audience claims.
  • 5.
    Validate ACR Claim configures whether ACR values in the ID token are validated against the requested ACR values.
  • 6.
    Additional Claim Validators optionally configure additional validators for claims.
  • Airlock IAM can successfully validate the claims contained in the id token.

Resource Mappings

  • 1.
    ID Token Resources defines how the claims from the id token should be processed.
  • Plugin
    Resource mapping
    OAuth 2.0 Remote Username Resource
    Must be defined exactly once.
    Defines which attribute of the remote authorization server is used to identify the local user.
    OAuth 2.0 Remote Context Data Resource
    May be defined zero or more times.
    Matches an attribute from the remote authorization server to the configured local context data item.
    Optionally allows for the string to be transformed.
    OAuth 2.0 Remote User Role Resource
    May be defined zero or more times.
    Matches an attribute from the remote authorization server to the local roles.
    If multiple plugins are configured all the retrieved attributes are merged in to the local roles.
  • 2.
    Resource Requests is optional. It defines how additional resource endpoint (.e.g. Userinfo Endpoint) should be queried to retrieve additional claims.
  • 3.
    If Resource Requests are required, go to:
     
    OAuth 2.0 SSO Resource Request plugin
  • 4.
    Resource URL defines a URL of a remote server where the resource request is to be sent. This is often the remote authorization server.
  • 5.
    Contained Resources defines how attributes, retrieved from the remote server, should be interpreted:
  • Plugin
    Resource mapping
    OAuth 2.0 Remote Username Resource
    May be defined at most once. Make sure there is no double configuration with the username from the id token.
    Defines which attribute of the remote authorization server is used to identify the local user.
    OAuth 2.0 Remote Context Data Resource
    May be defined zero or more times.
    Matches an attribute from the remote authorization server to the configured local context data item.
    Optionally allows for the string to be transformed.
    OAuth 2.0 Remote User Role Resource
    May be defined zero or more times.
    Matches an attribute from the remote authorization server to the local roles.
    If multiple plugins are configured all the retrieved attributes are merged in to the local roles.
  • 6.
    Request Method defines if a GET or POST method is to be used.
  • 7.
    Access Token Config defines it the access token is sent as header or as parameter to the remote authorization server.
  • Airlock IAM can successfully map all attributes retrieved from the id token or from the remote authorization server to the local user, roles and context data items.

Logout

  • 1.
    End Session Endpoint provides support for RP initiated logout. Configure the End Session Endpoint of the remote authorization server.
  • 2.
    Post Logout Redirect URL URL provided to the external authorization server to redirect the user session after the logout has been performed. Choose the appropriate option:
  • Plugin
    Resource mapping
    OAuth 2.0 Post Logout Redirect Base URL
    Define a post logout URL.
    OpenID No Post Logout Redirect URL
    Use this plugin, if the remote authorization server handles the user agent redirect.
  • Airlock IAM can handle logout interactions with the remote authorization server.