OpenID Connect parameters for an application

Learn about the parmeters needed for any application which supports OIDC.

You can add an application that uses the OpenID Connect protocol. The application can be a custom SaaS application or an access application in EAA. This process allows EAA to act as an OpenID provider that authenticates the user to a SaaS application or an access application with application-facing mechanism set to OpenID Connect 1.0 standard.

When configuring such an application in EAA, a redirect URI is required from the application (relying party). The redirect URI is where authentication responses are sent and received by the application. In the application, this also may be called the redirect URL or the callback URL.

The different parameters needed for an application supporting OIDC are:
  • Discovery URL. This URL is automatically generated based on the hostname of your identity provider. This page contains all the OpenID configuration endpoints and is formatted with this URL:https://<idp-hostname>/.well-known/openid-configuration, where <idp-hostname> is the hostname of the Akamai identity provider. You provide this URL in the application to allow the app to discover the endpoints of your configuration. If the application does not discover this URL automatically, you can download the metadata JSON file with the necessary endpoints and upload this file into the application. If an upload option is not available for this metadata, you must configure the application with the individual elements that are defined in the metadata JSON file.
  • Client ID. Unique ID generated for the application.
  • Client Secret. The secret that is used along with the client ID for authentication. In the authentication flow, two client secrets (the new and previous key) are available for use to support client secret rotation.
  • Claims. Defines the information that is required to identify and authenticate the user.
Note: Field names or labels for an OpenID Connect configuration may vary in the application or relying party. You may need to modify the client metadata before using it in the application.