OpenID Connect
- Applies to:
- MindTouch (current)
- Role required:
- Admin
In addition to the benefits of SSO, OpenID Connect provides advanced privacy configurations making it an ideal choice for an organization's customers to access applications that present a customer or consumer experience, such as an Expert site.
This solution is custom-configured for each client by MindTouch Professional Services. Elements and labels may differ from what is documented.
Terminology
- Open Authorization (OAuth 2.0) is a standard for token-based authentication and authorization which allows an end user's account information to be used by third-party services. OAuth 2.0 is the foundational technology for OpenID Connect.
- OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user.
- An identity provider (IdP) is a service for creating, managing and storing a user‘s authentication credentials (username, password, group assignments, roles, etc.)
- The relying party (RP) is the application the user wants to authenticate with OpenID Connect (for example, Expert).
- An authorization code flow is a Expert supported OpenID Connect authentication flow that allows a user to approve the user identity data that will be sent to Expert.
- An implicit flow is a Expert unsupported OpenID Connect authentication flow that exposes access tokens directly to a user’s web browser.
Why Is OpenID Connect Recommended for Authentication?
- Security: OpenID Connect provides a single point of authentication for users at a secure IdP. User credentials are never transferred between Expert and the IdP, minimizing potential breach points.
- Privacy: Users can view and consent to what identity information is being transferred from an IdP to the application. Users can also be presented with privacy policies or terms of service agreements, before agreeing to sign in to an application.
- Platform neutrality: The OpenID Connect protocol interoperates with any system independent of implementation, reducing interoperability issues associated with vendor-specific approaches.
- Reduced administrative costs: The burden of authenticating users across multiple applications is transferred to the IdP with a single act of authentication, reducing the account management costs.
Risk transference: OpenID Connect can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.
Prerequisites
- A valid TLS/SSL certificate installed on your Expert site
- Administrative access to your identity provider (IdP)
- Working knowledge of Supported OpenID Connect flows
OpenID Connect sessions cannot occur behind existing VPN or IP-restrictions, if enabled for your Expert site.
Collect Information From Your Identity Provider
To configure a basic OpenID Connect integration, you will need the following information from your IdP:
- Additional (Custom) Claims (optional): Any custom identity token claims to save with the user's profile on the Expert site.
- Client ID (required): The unique identifier for the Expert site as an RP.
- Client Secret (required): The secret passcode to establish trust between the IdP and the Expert site (this secret should not be shared over any public channel).
- IdP Authorize Endpoint URL (required): The endpoint that will receive the Expert site's authorization code request.
- IdP Issuer (required): The unique identifier for the identity provider.
- IdP JSON Web Key Set (JWKS) Endpoint URL (recommended): The endpoint that will provide the Expert site with public keys to verify a signed identity token. If not supplied, a JWKS document (containing a key, key type, and verification algorithm) can be provided. However, JWKS security best practice recommends rotating keys regularly.
- IdP Logout Endpoint URL (recommended): The endpoint that will receive the Expert site's sign out request.
- IdP Token Endpoint URL (required): The endpoint that will receive the Expert site's identity token request.
- IdP Token Endpoint URL Authentication Method (optional): The authentication method the RP will use to connect to the token endpoint URL.
- IdP UserInfo Endpoint URL (recommended): The endpoint that will provide the Expert site with verbose user identity data, if not present in the identity token.
- Scopes (recommended): The Expert site will use identity token claims to enrich an authenticating user's profile on the Expert site. It is recommended that these claims are scoped so the user can understand what identity data they are sharing with the Expert site, and consent to the identity data transfer. The Expert site will include these scopes when redirecting users to the IdP Authorize URL.
Enable Group Synchronization (Optional)
- Create groups before enabling group synchronization
- Familiarize yourself with the behavior of group synchronization
- Provide the group claim name as it will appear in identity tokens or verbose user identity token received by the RP
Next Steps
Contact your Customer Success Manager to discuss OpenID Connect integration services. Based on the complexity of your integration, you may need to only supply the IdP data described above, or you may work with them on more advanced integrations. The latter may require more involvement with your IdP maintainer or vendor, and additional information.