Configure CA Single Sign-On as OpenID Connect Provider

To configure  as the OpenID Connect Provider, perform the following steps:
casso127
To configure 
CA Single Sign-On
 as the OpenID Connect Provider, perform the following steps:
  1. Review the prerequisites.
  2. Create an authorization provider.
  3. Create a client. 
Review the Prerequisites
Ensure that the following tasks are complete:
  • Session Store is enabled in Policy Server.
  • SSL is enabled in 
    CA Access Gateway
    .
Create Authorization Provider
Create a template with provider related configuration that can be associated with clients during registration. You can reuse a template in multiple client registrations.
You can pre-define the following information:
  • Authentication URL that must be used for user authentication
  • User directories that must be used for user authentication and claims retrieval
  • Claims to user directory field mappings
  • Scope to claims mappings
  • Signing and encryption information
  • Timeout configurations
Follow these steps
:
  1. Navigate to
    Federation
    ,
    OpenID Connect
    .
  2. Click
    Authorization Provider
    .
  3. Click
    Create Authorization Provider
    .
  4. Enter a unique name for the provider in
    Provider Name
    .
  5. Enter a brief description of the provider in
    Description
    .
  6. Complete the following fields in the
    Authentication and Authorization
    section:
    1. Specify the list of user directories that
      CA Single Sign-On
       uses for authorizing and retrieving claims information. Select one or more directories in the
      Available Directories
      pane and click the arrow to move your choice to the
      Selected Directories
      pane. Use the up and down arrows to adjust the order of the directories. Authorization server searches the user directories in the order specified in Selected Directories.
    2. Enter the search string that must be used to locate the user in a user directory in
      Search Specification
      . Use this field for only user directories with ODBC namespace.
      Example
      : ODBC: name=%s
      If you are using LDAP or Active Directory, you need not specify the search string.
      Note
      : Custom directories are not supported.
    3. Enter the base location of the Authorization Server where
      CA Access Gateway
       is installed in
      Authorization Server Base URL
      .
    4. Enter the URL that Authorization Server must use for authentication in
      Authentication URL
      .
    5. Specify if the single sign-on service must encrypt only the SMPORTALURL query parameter in
      Use Secure Authentication URL
      .
      An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
      If you select this option, complete the following steps:
      1. Set the
        Authentication URL
        field to the following URL:
        https://idp_server:port/affwebservices/secure/secureredirect
      2. Protect the secureredirect web service with a policy.
      To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the following location:
      access_gateway_home
      /Tomcat/webapps/affwebservices/WEB-INF
    6. Enter the validity time period of an authorization code in
      Authorization Code Expiry Time
      .
  7. Complete the following fields in the
    Signing and Encryption
    section:
    1. Specify the alias that is associated with a private key in the certificate data store used to sign ID token in
      Signing Certificate Alias
      .
    2. Specify the hash algorithm that must be used in the digital signing of ID token and userinfo response in
      Signing Algorithm
      .
    3. Specify if the ID token must be signed in
      Sign ID Token
      .
    4. Specify if the user info response must be signed in
      Sign User Information
      .
    5. Select an alias for the certificate that is used to encrypt assertion data in
      Encryption Certificate Alias
      . The corresponding private key at the relying party decrypts the data.
    6. Define a value that must be used as kid header while encrypting the JWT token in
      Encryption Key ID
      . This field is mandatory if Encrypt ID Token or Encrypt User Information is selected.
    7. Specify the JWE algorithm and method that must be used for encrypting ID Token and userInfo response in
      Encryption Algorithm
      and
      Encryption Method
      .
    8. Specify if the ID token must be encrypted in
      Encrypt ID Token
      .
    9. Specify if the user info response must be encrypted in
      Encrypt User Information
      .
  8. Complete the following fields in the
    Mappings
    section:
    1. Define mapping of claims with a user directory in
      Claims Mapping
      . Enter a claim name and the corresponding user attribute in a defined user directory, and click Add Row.
      You can add multiple claims with same name but for different column names.
      If you configure subject identifier (sub) as a claim, the user attribute value that is specified for this claim is used for the sub field sent in ID token and user info. If you do not specify, the user ID of the logged user is sent by default in the sub field.
    2. Define mapping of scope to claims that must be returned in ID token and userinfo endpoint in
      Scope Mapping
      . Enter a scope name, map it with a defined claim name, and click Add Row. You can add multiple claims separated by commas.
  9. Click
    Create
    .
Create Client
Create a client with
CA Single Sign-On
 to identify the client uniquely while serving requests.
Follow these steps
:
  1. Navigate to
    Federation
    ,
    OpenID Connect
    .
  2. Click
    Clients
    and click
    Create Client
    .
  3. Enter a unique name of the client in
    Client Name
    .
  4. Enter a description of the client in
    Description
    .
  5. Enter the URL of the client logo that must be displayed on the consent page in
    Logo URL
    . If a logo is not defined, a default logo is displayed.
  6. (Optional) If you do not want
    CA Single Sign-On
     to prompt users for their consent for sharing scope information with client, select
    Disable User Consent
    . After authenticating the user, the authorization server directly sends the authentication response with authorization code to the URI specified in the authentication request.
  7. (Optional) Enter the name of the default HTML file or the custom HTML file that must be used for the user consent page in 
    User Consent Form
    .
    For more information, see Customize the User Consent Page.
  8. Complete the following fields in the Client Authentication section:
    1. Specify if the client application is public or confidential in
      Application Type
      . If the application is confidential, send the client ID and secret in the token request along with an access token in the specified client authentication type. If the application is public, send only the client ID in the token request along with an access token.
    2. Specify the mechanism that must be used for authenticating the client in
      Authentication Type
      .
  9. Complete the following fields in the Scope Configuration section:
    1. Select the authorization provider that must be used for the client configuration in
      Authorization Provider
    2. Specify the list of scope values that the client can use in
      Scopes
      . The list is populated based on the values that you defined in the selected authorization provider.
    3. Select
      Send User Information in ID Token 
      if you want to receive the claims in the ID token itself.
    4. Select
      Send SMSession in ID Token
      to send the SMSession in the IDToken.
  10. Enter a list of valid, unique redirect URLs that 
    CA Single Sign-On
     uses to send the authorization code back to the client in
    Redirect URIs
    . The URI sent in the initial authorization code request must match the list of URIs defined in Redirect URIs. 
    If the Application Type of the client is Public, specify HTTP Secure URLs.
  11. Complete the following fields in the Token Expiry Time section:
    1. Enter the time period an access token in valid at
      CA Single Sign-On
       in 
      Access Token
      .
      Limits
      : 999 hours and 99 minutes (41 days).
      You can update the OIDCClient object manually to increase the validity period beyond 41 days. For information, see Increase Validity Period of Access Token.
    2. Enter the time period an ID token is valid at
      CA Single Sign-On
       in
      ID Token
  12. Click
    Create
    .
    The client is created, Client ID and Client Secret are generated, the Client Secret is saved in an encrypted format in the database, and the URLs for all the endpoints are displayed. The page now opens in an edit mode.
Use the URLs in requests to each endpoint.