Connecting OIDC-enabled IDP
Instructions on how to connect an OIDC-compliant IDP to ACP
You can use the generic-enabled IDP if you cannot find your connector among the templates available in the ACP administrator portal.
Prerequisites
- Your IDP needs to expose the OpenID discovery endpoint.
- Your provider needs to issue the access token in the JWT format as opaque access tokens are not supported currently.
Register application
-
Create an OAuth application with your provider.
Redirect URL for your application
For the redirect URL, you need to proceed to the Connect IDP part now. Follow its steps until you get the redirect URL in steps 3-4. Use the redirect URL provided to create your application.
-
Configure your application to
- Use the authorization code grant flow
- Request scopes: openid, email, and profile.
Connect IDP
-
Go to https://localhost:8443/app/default/admin for the ACP administrator portal and log in with your credentials.
Result
The administrator portal is displayed.
-
Make sure you are in the Consumer workspace (selectable from the left sidebar) and select ADD IDENTITIES to add a new connection.
Result
The pop-up dialog box shows and lists available predefined IDP templates.
-
Select the OpenID Connect template, enter the name for your new identity provider, and click Next.
Result
The Register OpenID Connect fill-in form opens with the redirect URL for registering your application.
-
Copy the redirect URL provided in the form and use it while registering the OAuth application with your provider in step 1 of the Register application part.
-
In the Register OpenID Connect form, enter the issuer URL, client ID, and client secret.
Issuer URL
Use a bare URL of the issuer, for example https://accounts.google.com. There is no need to append /.well-known/openid-configuration.
-
Select Save.
Result
Your new identity provider has been created and listed in the Consumer Identity Providers view.
Advanced settings
To configure your new IDP advanced settings
-
Go to Identities in the left sidebar and select your IDP from the list of available IDP connections.
-
Make sure that you are in the CONFIGURATION view and select Advanced settings at the bottom.
-
Configure the Scopes field and decide if you want to use the Get user info option.
Note
If you enable the Get user info option, the connector calls the userinfo endpoint to retrieve additional user attributes.
-
Select Save.
Enable the stateful authorization
This step is optional.
To have the user’s data cached in ACP and avoid re-authenticating within one use’s session, follow the instruction in Enable the stateful authZ in ACP.
User’s test
Purpose
Test your new IDP as a user
Prerequisite
Your provider is configured as a user-authentication method by your administrator.
Test
-
Go to https://localhost:8443/default/default/demo and select LOG IN TO DEMO APP.
-
Select your configured IDP (if you have multiple ones) and, next, authenticate in IDP.
Result
ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.
Read more
For information on granting and managing ACP consents, see ACP OAuth consents.
Developer’s test
Purpose
Test your new IDP as a developer
Prerequisite
Your provider is configured as a developer-authentication method by your administrator. To register your IDP for the developer, follow instructions in Connect IDP, this time selecting the Developer workspace in step 2.
Test
-
Go to https://localhost:8443/app/default/developer to access the ACP developer portal.
-
Log in to your account by entering your login credentials and selecting LOG IN.
Result
You are logged in to the ACP developer portal with the newly-configured IDP.