Configure OpenID Connect for a SaaS application
Learn to configure OpenID Connect parameters for a custom SaaS application.
You can add a SaaS application that uses the OpenID Connect protocol. This process allows EAA to act as an OpenID provider or the identity provider that authenticates the user to the SaaS application.
When configuring this application in EAA, a redirect URI is required from the application (relying party). The redirect URI is where authentication responses are sent and received by the application. In the application, this also may be called the redirect URL or the callback URL.
URL: This URL is automatically generated and based on the
hostname of your identity provider. This page contains all the OpenID
configuration endpoints and is formatted with the following URL: https://<idp-hostname>/.well-known/openid-configuration,
where <idp-hostname> is the hostname of the Akamai identity provider. You provide this URL in the application
to allow the app to discover the endpoints of your configuration.
If the application does not discover this URL automatically, you can download the metadata JSON file with the necessary endpoints and upload this file into the application. If an upload option is not available for this metadata, you must configure the application with the individual elements that are defined in the metadata JSON file.
- Client ID. Unique ID generated for the application.
- Client Secret. The secret that is used along with the client ID for authentication. In the authentication flow, two client secrets (the new and previous key) are available for use to support client secret rotation.
- Claims: Claims define the information that is required to identify and authenticate the user.
- Log in to the Enterprise Application Access (EAA) Management Portal.
- From the top menu bar click Applications.
- Click Add application. Under Add Custom Apps, click SaaS app.
- Enter a name and description for the application.
- In the Protocol menu, select OpenID Connect 1.0, and click Create App and Configure.
- To add an application icon, click Add and select from the provided icons or upload an icon.
- If you want to organize the application in a category on the Login Portal, select a category. Otherwise, leave the selected category as Uncategorized.
- If you want to hide the application from the Login Portal, select Hide Application from Login Portal.
- In the Application URL, enter the URL of the application.
- Click Save and go to Authentication.
- Click Assign identity provider, and in the dialog, select an Akamai identity provider.
- Click Assign directory, and select a directory.
- Click Save and go to OpenID settings.
Copy the Discovery URL.
URL is automatically generated. If your application does not
automatically fetch metadata, you can copy or download this file from EAA. Click
to view this data or click Download to
download the metadata file.
Note: In the application, you must provide this URL as the provider URL or upload the metadata file. If the application does not allow you to provide the URL or upload the metadata file, you may need to configure the application with the individual elements that are defined in the file.
In the Relying Party
- Copy the Client ID.
- Copy the Client Secret to a secure location.
- If you need to rotate the secret, click Rotate client secret. Copy the secret to a secure location and update the application with the new secret.
- Enter this information into the application (relying party).
- In the Redirect URI field, enter the redirect or callback URL from your application. This field is required. Click Add More to enter more URIs.
- If you are using an implicit authentication flow for OpenID Connect, select Implicit Grant.
- If you want to disable the logout that is initiated by the identity provider, disable the Front channel logout session required option.
- If the front channel logout session setting is enabled, in the Front channel logout-URI(s) field, enter a URI or URL to support this feature. Click Add More to enter more URIs. The scheme, protocol, and port of the front channel URI must match one of the configured redirect URIs.
- To configure post logout redirect URI(s), enter the URI where the OpenID provider sends logout responses to logout requests.
- To enable proof key for code exchange (PKCE), select PKCE.
- Ensure Include claims in id_token is enabled.
- To view or download the metadata for the client, click View or Download.
To add a claim:
- Click Add More.
If you select Custom Scope, a field appears where you can enter a value.
Claim Name based on the scope you selected or
If you select Custom, a field appears where you can enter a name.
If you select Custom Script or Fixed Value, you must enter data in the provided field.
- To add more scopes, repeat steps 10a to 10d.
- Click Save and return to Deployment.
- Deploy the application.