Configure OpenID Connect for an Access Application

Learn to configure the OpenID Connect parameters for an access application.

When you use OpenID Connect 1.0 (OIDC) as the application-facing authentication mechanism for an EAA Access application, you need to select it in the application’s advanced settings. You then go to the client application and enter the EAA application OIDC settings. In OIDC terminology, the access application is the relying party (RP) or client application. This procedure describes how to create an EAA access application that supports OpenID connect protocol. This process allows EAA to act as an OpenID provider or the identity provider that authenticates the user to an access application that uses OIDC as the authentication mechanism. EAA provides an option to download the client metadata in JSON format so that it may be uploaded to the client application. You may also manually enter the information into the client application.

How to

  1. Log in to the EAA Management Portal.
  2. From the top menu bar, click Applications > Settings > Advanced Settings.
  3. In the Application-facing Authentication Mechanism field, select OpenID Connect 1.0.
  4. Click Save and go to OIDC Settings.
  5. Copy the Discovery URL. The discovery URL is automatically generated. If your client application does not automatically fetch metadata, you can copy or download this file from EAA. Click View to view this data or click Download to download the metadata file.
    Note: In the application, you must provide this URL as the provider URL or upload the metadata file. If the application does not allow you to provide the URL or upload the metadata file, you may need to configure the application with the individual elements that are defined in the file.
  6. In the Relying Party Settings:
    1. Copy the Client ID.
    2. Copy the Client Secret to a secure location.
    3. If you need to rotate the secret, click Rotate client secret. Copy the secret to a secure location and update the application with the new secret.
    4. Enter this information into the application (relying party).
    5. In the Redirect URI field, enter the redirect or callback URL from your application. This field is required. Click Add More to enter more URIs.
    6. If you are using an implicit authentication flow for OpenID Connect, select Implicit Grant.
    7. To configure JavaScript origins for an implicit authentication flow, in the Javascript Origins field, enter the URL or URLs of the origin that serves the JavaScripts responsible for sending cross-origin resource sharing (CORS) requests to token or user info endpoints.
    8. If you want to disable the logout that is initiated by the identity provider, disable the Front channel logout session required option.
    9. If the front channel logout session setting is enabled, in the Front channel logout-URI(s) field, enter a URI or URL to support this feature. Click Add More to enter more URIs. The scheme, protocol, and port of the front channel URI must match one of the configured redirect URIs.
    10. To configure post logout redirect URI(s), enter the URI where the OpenID provider sends logout responses to logout requests.
    11. To enable proof key for code exchange (PKCE), select PKCE.
    12. Ensure Include claims in id_token is enabled.
    13. To view or download the metadata for the client, click View or Download.
  7. To add a claim:
    1. Click Add More.
    2. Select a Scope.

      If you select Custom Scope, a field appears where you can enter a value.

    3. Select a Claim Name based on the scope you selected or specified.

      If you select Custom, a field appears where you can enter a name.

    4. Select a Value.

      If you select Custom Script or Fixed Value, you must enter data in the provided field.

    5. To add more scopes, repeat steps 7a to 7d.
  8. Click Save and return to Deployment.
  9. Deploy the application.

Next steps

Ensure that you have configured the application (relying party) with the discovery URL or the JSON metadata file information, the client ID, and the secret.