Configure CA Single Sign-On as OpenID Connect Provider
To configure as the OpenID Connect Provider, perform the following steps:
CA Single Sign-Onas the OpenID Connect Provider, perform the following steps:
- Review the prerequisites.
- Create an authorization provider.
- Create a client.
Review the Prerequisites
Ensure that the following tasks are complete:
- Session Store is enabled in Policy Server.
- SSL is enabled inCA Access Gateway.
Create Authorization Provider
Create a template with provider related configuration that can be associated with clients during registration. You can reuse a template in multiple client registrations.
You can pre-define the following information:
- Authentication URL that must be used for user authentication
- User directories that must be used for user authentication and claims retrieval
- Claims to user directory field mappings
- Scope to claims mappings
- Signing and encryption information
- Timeout configurations
Follow these steps:
- Navigate toFederation,OpenID Connect.
- ClickAuthorization Provider.
- ClickCreate Authorization Provider.
- Enter a unique name for the provider inProvider Name.
- Enter a brief description of the provider inDescription.
- Complete the following fields in theAuthentication and Authorizationsection:
- Specify the list of user directories thatCA Single Sign-Onuses for authorizing and retrieving claims information. Select one or more directories in theAvailable Directoriespane and click the arrow to move your choice to theSelected Directoriespane. Use the up and down arrows to adjust the order of the directories. Authorization server searches the user directories in the order specified in Selected Directories.
- Enter the search string that must be used to locate the user in a user directory inSearch Specification. Use this field for only user directories with ODBC namespace.Example: ODBC: name=%sIf you are using LDAP or Active Directory, you need not specify the search string.Note: Custom directories are not supported.
- Enter the base location of the Authorization Server whereCA Access Gatewayis installed inAuthorization Server Base URL.
- Enter the URL that Authorization Server must use for authentication inAuthentication URL.
- Specify if the single sign-on service must encrypt only the SMPORTALURL query parameter inUse Secure Authentication URL.An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.If you select this option, complete the following steps:
To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the following location:access_gateway_home/Tomcat/webapps/affwebservices/WEB-INF
- Set theAuthentication URLfield to the following URL:https://idp_server:port/affwebservices/secure/secureredirect
- Protect the secureredirect web service with a policy.
- Enter the validity time period of an authorization code inAuthorization Code Expiry Time.
- Complete the following fields in theSigning and Encryptionsection:
- Specify the alias that is associated with a private key in the certificate data store used to sign ID token inSigning Certificate Alias.
- Specify the hash algorithm that must be used in the digital signing of ID token and userinfo response inSigning Algorithm.
- Specify if the ID token must be signed inSign ID Token.
- Specify if the user info response must be signed inSign User Information.
- Select an alias for the certificate that is used to encrypt assertion data inEncryption Certificate Alias. The corresponding private key at the relying party decrypts the data.
- Define a value that must be used as kid header while encrypting the JWT token inEncryption Key ID. This field is mandatory if Encrypt ID Token or Encrypt User Information is selected.
- Specify the JWE algorithm and method that must be used for encrypting ID Token and userInfo response inEncryption AlgorithmandEncryption Method.
- Specify if the ID token must be encrypted inEncrypt ID Token.
- Specify if the user info response must be encrypted inEncrypt User Information.
- Complete the following fields in theMappingssection:
- Define mapping of claims with a user directory inClaims Mapping. Enter a claim name and the corresponding user attribute in a defined user directory, and click Add Row.You can add multiple claims with same name but for different column names.If you configure subject identifier (sub) as a claim, the user attribute value that is specified for this claim is used for the sub field sent in ID token and user info. If you do not specify, the user ID of the logged user is sent by default in the sub field.
- Define mapping of scope to claims that must be returned in ID token and userinfo endpoint inScope Mapping. Enter a scope name, map it with a defined claim name, and click Add Row. You can add multiple claims separated by commas.
Create a client with
CA Single Sign-Onto identify the client uniquely while serving requests.
Follow these steps:
- Navigate toFederation,OpenID Connect.
- ClickClientsand clickCreate Client.
- Enter a unique name of the client inClient Name.
- Enter a description of the client inDescription.
- Enter the URL of the client logo that must be displayed on the consent page inLogo URL. If a logo is not defined, a default logo is displayed.
- (Optional) If you do not wantCA Single Sign-Onto prompt users for their consent for sharing scope information with client, selectDisable User Consent. After authenticating the user, the authorization server directly sends the authentication response with authorization code to the URI specified in the authentication request.
- (Optional) Enter the name of the default HTML file or the custom HTML file that must be used for the user consent page inUser Consent Form.For more information, see Customize the User Consent Page.
- Complete the following fields in the Client Authentication section:
- Specify if the client application is public or confidential inApplication Type. If the application is confidential, send the client ID and secret in the token request along with an access token in the specified client authentication type. If the application is public, send only the client ID in the token request along with an access token.
- Specify the mechanism that must be used for authenticating the client inAuthentication Type.
- Complete the following fields in the Scope Configuration section:
- Select the authorization provider that must be used for the client configuration inAuthorization Provider.
- Specify the list of scope values that the client can use inScopes. The list is populated based on the values that you defined in the selected authorization provider.
- SelectSend User Information in ID Tokenif you want to receive the claims in the ID token itself.
- SelectSend SMSession in ID Tokento send the SMSession in the IDToken.
- Enter a list of valid, unique redirect URLs thatCA Single Sign-Onuses to send the authorization code back to the client inRedirect URIs. The URI sent in the initial authorization code request must match the list of URIs defined in Redirect URIs.If the Application Type of the client is Public, specify HTTP Secure URLs.
- Complete the following fields in the Token Expiry Time section:
- Enter the time period an access token in valid atCA Single Sign-OninAccess Token.Limits: 999 hours and 99 minutes (41 days).You can update the OIDCClient object manually to increase the validity period beyond 41 days. For information, see Increase Validity Period of Access Token.
- Enter the time period an ID token is valid atCA Single Sign-OninID Token.
- ClickCreate.The client is created, Client ID and Client Secret are generated, the Client Secret is saved in an encrypted format in the database, and the URLs for all the endpoints are displayed. The page now opens in an edit mode.
Use the URLs in requests to each endpoint.