Connecting OIDC-enabled IDP

Instructions on how to connect an OIDC-compliant IDP to ACP

You can use the generic-enabled IDP if you cannot find your connector among the templates available in the ACP administrator portal.

Prerequisites

  • Your IDP needs to expose the OpenID discovery endpoint.
  • Your provider needs to issue the access token in the JWT format as opaque access tokens are not supported currently.

Register application

  1. Create an OAuth application with your provider.

    Redirect URL for your application

    For the redirect URL, you need to proceed to the Connect IDP part now. Follow its steps until you get the redirect URL in steps 3-4. Use the redirect URL provided to create your application.

  2. Configure your application to

  • Use the authorization code grant flow
  • Request scopes: openid, email, and profile.

Connect IDP

  1. Go to https://localhost:8443/app/default/admin for the ACP administrator portal and log in with your credentials.

    Result

    The administrator portal is displayed.

  2. Make sure you are in the Consumer workspace (selectable from the left sidebar) and select ADD IDENTITIES to add a new connection.

    Result

    The pop-up dialog box shows and lists available predefined IDP templates.

  3. Select the OpenID Connect template, enter the name for your new identity provider, and click Next.

    Result

    The Register OpenID Connect fill-in form opens with the redirect URL for registering your application.

  4. Copy the redirect URL provided in the form and use it while registering the OAuth application with your provider in step 1 of the Register application part.

  5. In the Register OpenID Connect form, enter the issuer URL, client ID, and client secret.

    Issuer URL

    Use a bare URL of the issuer, for example https://accounts.google.com. There is no need to append /.well-known/openid-configuration.

  6. Select Save.

Result

Your new identity provider has been created and listed in the Consumer Identity Providers view.

Advanced settings

To configure your new IDP advanced settings

  1. Go to Identities in the left sidebar and select your IDP from the list of available IDP connections.

  2. Make sure that you are in the CONFIGURATION view and select Advanced settings at the bottom.

  3. Configure the Scopes field and decide if you want to use the Get user info option.

    Note

    If you enable the Get user info option, the connector calls the userinfo endpoint to retrieve additional user attributes.

  4. Select Save.

Enable the stateful authorization

This step is optional.

To have the user’s data cached in ACP and avoid re-authenticating within one use’s session, follow the instruction in Enable the stateful authZ in ACP.

User’s test

Purpose

Test your new IDP as a user

Prerequisite

Your provider is configured as a user-authentication method by your administrator.

Test

  1. Go to https://localhost:8443/default/default/demo and select LOG IN TO DEMO APP.

  2. Select your configured IDP (if you have multiple ones) and, next, authenticate in IDP.

Result

ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.

Read more

For information on granting and managing ACP consents, see ACP OAuth consents.

Developer’s test

Purpose

Test your new IDP as a developer

Prerequisite

Your provider is configured as a developer-authentication method by your administrator. To register your IDP for the developer, follow instructions in Connect IDP, this time selecting the Developer workspace in step 2.

Test

  1. Go to https://localhost:8443/app/default/developer to access the ACP developer portal.

  2. Log in to your account by entering your login credentials and selecting LOG IN.

Result

You are logged in to the ACP developer portal with the newly-configured IDP.