Configuration of Airlock IAM

  • Open the Config Editor
    • Make sure that the demo configuration of Airlock IAM is loaded and active

Instead of the "OpenID Connect Client Settings" the "OpenID Connect Discovery Client Settings" plugin can be used.

The discovery plugin will fetch some of the configuration and therefore fewer properties have to be configured.

  • Go to: Loginapp >> OAuth 2.0/OIDC Client (create if missing)
    • Add new "OpenID Connect Client Settings" plugin to the client settings list
      • Set "swissId" as "Provider Identifier"
      • Set "Client ID" and "Client Secret" to the obtained values.
      • Set the "External Medusa URL" property to "<URL of Loginapp>" (e.g.: "https://iam-url.domain/auth-login"). This must match one of registered redirect URIs.
      • Set "Authorization Endpoint URL" property to "https://login.int.swissid.ch:443/idp/oauth2/authorize" (be aware that for production the host part of the URL is login.swissid.ch)
      • Add "openid", "profile" and "email" to the "Scopes To Request" property list
      • Set "Token Endpoint URL" property to "https://login.int.swissid.ch:443/idp/oauth2/access_token"
      • Add a new "Http Client Config" to the "Http Client" property
      • Set "Token Endpoint Authentication" to the corresponding obtained "Token Endpoint Authentication Method".
      • Add a the "Signature Validator" to the corresponding  obtained "ID Token Signing Algorithm".
        • For example RS256: "OpenID Connect RS256 Signature Validator" 
          • Set "Remote Key Location" property to "https://login.int.swissid.ch:443/idp/oauth2/connect/jwk_uri"
          • Set "Http Client" to the previously added plugin
      • Add a new "OAuth 2.0 Remote Username Resource" plugin to the "ID Token Resources" property list 
        • Add a new "OAuth 2.0 Simple Resource Selector " plugin as the "Resource Selector" property
          • Set the "Key" property to "email" (or "sub")
      • Add a new "OAuth 2.0 Remote Context Data Resource" plugin to the "ID Token Resources" property list
        • Set "Local Context Data Key" property to "givenname"
        • Add a new "OAuth 2.0 Simple Resource Selector " plugin as the "Resource Selector" property
          • Set the "Key" property to "given_name"
      • Add a new "OAuth 2.0 Remote Context Data Resource" plugin to the "ID Token Resources" property list
        • Set "Local Context Data Key" property to "surname"
        • Add a new "OAuth 2.0 Simple Resource Selector " plugin as the "Resource Selector" property
          • Set the "Key" property to "family_name"
      • Add a new "OAuth 2.0 Remote Context Data Resource" plugin to the "ID Token Resources" property list
        • Set "Local Context Data Key" property to "email"
        • Add a new "OAuth 2.0 Simple Resource Selector " plugin as the "Resource Selector" property
          • Set the "Key" property to "email"
      • Add a "Lookup and Accept Authenticator" as "Additional Authenticator"
         
  • Set the Login Page Type property to OAuth 2.0 SSO (in Loginapp >> Authentication Settings)
  • Activate Configuration