Enabling CIBA for a workspace

Check how to configure your workspace and applications within so that they support Client-Initiated Backchannel Authentication (CIBA).

Enabling CIBA in a nutshell

CIBA, an extension to OIDC, is an authentication flow in which the relying party (client application) can initiate a flow to authenticate the user without the user’s interaction from the consumption device (redirects through the user’s browser). This so called out-of-band flow enhances the user experience by streamlining the process of giving consents. The client requesting the authentication and the authentication device that performs the authentication are two separate entities, which is what makes CIBA a decoupled flow.

Read more

For more information on CIBA, see ACP Client-initiated Backchannel Authentication grant flow overview.

To be able to use CIBA in ACP, you have to allow the CIBA grant flow both for a selected workspace and for an application within that workspace. With the CIBA grant flow enabled for the workspace, you get a client ID, a client secret, and a token endpoint for your CIBA authentication service.

Prerequisites

Enable CIBA

For instructions on how to nable CIBA in ACP, either see the video or follow step-by-step guide.

Video guide

Step-by-step

Configure workspace settings

  1. From Workspace Directory, enter a workspace that you want the CIBA support for.

  2. Select Settings from the sidebar of the selected workspace and go the Authorization view.

  3. Navigate to the Allowed grant types section and select the CIBA checkbox.

    Result

    Selecting the checkbox adds another field for the CIBA configuration: Token delivery modes supported. Check details on token delivery modes in CIBA modes.

  4. Use the drop-down list to populate the Token delivery modes supported field with at least one value out of the two available: ping and poll.

  5. Select Save changes at the bottom of the page.

    Result

    After enabling CIBA in the Authorization view and saving the changes, another view, CIBA, shows in your workspace settings.

  6. Navigate to the CIBA view to set up CIBA Authentication Service. Select EXTERNAL to provide URL to the external CIBA authentication service.

    CIBA simulator

    Instead of selecting EXTERNAL, you can select SIMULATOR if you do not want to specify the URL and still like to play with CIBA.

  7. For EXTERNAL, fill in Authentication service URL, Basic Auth Username, and Basic Auth Password.

    Enabling EXTERNAL services

    EXTERNAL authentication services require the integration with ACP to enable the use of the CIBA grant flow. Check CIBA integration patterns to learn CIBA-ACP integration patterns, which you can use to integrate your authentication device with ACP.

    Basic authentication

    Basic authentication is a mechanism that ACP uses for authenticating to external services that expose their API when integrated with ACP. For more details on the ACP basic authentication, see ACP basic authentication.

  8. Select Save changes at the bottom of the page.

Configure client settings

  1. In the same workspace, select Applications from the sidebar and proceed to the application that you want to enable CIBA for.

  2. Go to the OAuth view of the application and navigate to the Grant Types section.

  3. Add urn:openid:params:grant to the allowed grant types using the drop-down list.

    Result

    Enabling urn:openid:params:grant adds another field for the CIBA configuration: Token delivery mode. Check details on token delivery modes in CIBA modes.

  4. Use the drop-down list to populate the Token delivery mode field with at least one value out of the two available: ping and poll.

    Result

    Enabling ping adds another field for the CIBA configuration: Client notification endpoint.

  5. If you choose to use the ping mode, fill in the Client notification endpoint field by specifying the endpoint to which ACP can post a notification after a successful or failed end-user authentication.

  6. Select Save changes at the bottom of the page.

Result

You have enabled CIBA for your application.

Follow-up

Check how to CIBA integrates with ACP in CIBA integration patterns.