Configure OpenID Connect for an Access
Application
Learn to configure the OpenID Connect parameters for an access
application.
When you use OpenID Connect 1.0 (OIDC) as
the application-facing authentication mechanism for an EAA Access application, you need
to select it in the application’s advanced settings. You then go to the client
application and enter the EAA application OIDC settings. In OIDC terminology, the
access application is the relying party (RP) or client application. This procedure
describes how to create an EAA access application that supports OpenID connect protocol.
This process allows EAA to act as an OpenID provider or the identity provider that
authenticates the user to an access application that uses OIDC as the authentication
mechanism. EAA provides an option to download the client metadata in JSON format so that
it may be uploaded to the client application. You may also manually enter the
information into the client application.
How to
Log in to the EAA Management
Portal.
From the top menu bar, click
Applications > Settings > Advanced
Settings.
In the Application-facing
Authentication Mechanism field, select OpenID Connect
1.0.
Click Save and go to OIDC
Settings.
Copy the Discovery URL.
The discovery URL is automatically generated. If your client application does
not automatically fetch metadata, you can copy or download this file from EAA.
Click View
to view this data or click Download to
download the metadata file.
Note: In the application, you must provide this URL as the provider URL or
upload the metadata file. If the application does not allow you to provide
the URL or upload the metadata file, you may need to configure the
application with the individual elements that are defined in the
file.
In the Relying Party
Settings:
Copy the Client
ID.
Copy the Client Secret
to a secure location.
If you need to rotate
the secret, click Rotate client
secret. Copy the secret to a secure location and update
the application with the new secret.
Enter this information
into the application (relying party).
In the Redirect
URI field, enter the redirect or callback URL from your
application. This field is required. Click Add More
to enter more URIs.
If you are using an
implicit authentication flow for OpenID Connect, select Implicit
Grant.
To configure JavaScript
origins for an implicit authentication flow, in the Javascript
Origins field, enter the URL or URLs of the origin that
serves the JavaScripts responsible for sending cross-origin resource
sharing (CORS) requests to token or user info endpoints.
If you want to disable
the logout that is initiated by the identity provider, disable the
Front
channel logout session required option.
If the front channel
logout session setting is enabled, in the Front channel
logout-URI(s) field, enter a URI or URL to support this
feature. Click Add More to enter more URIs. The scheme, protocol, and
port of the front channel URI must match one of the configured redirect
URIs.
To configure post logout
redirect URI(s), enter the URI where the OpenID provider sends logout
responses to logout requests.
To enable proof key for
code exchange (PKCE), select PKCE.
Ensure Include claims in
id_token is enabled.
To view or download the
metadata for the client, click View or
Download.
To add a claim:
Click Add
More.
Select a
Scope.
If you select Custom
Scope, a field appears where you can enter a
value.
Select a Claim Name
based on the scope you selected or specified.
If you select Custom, a field appears where you can enter
a name.
Select a Value.
If you select Custom
Script or Fixed
Value, you must enter data in the provided
field.
To add more scopes,
repeat steps 7a to 7d.
Click Save and return to
Deployment.
Deploy the application.
Next steps
Ensure that you have configured the application (relying party) with the
discovery URL or the JSON metadata file information, the client ID, and the
secret.