OIDC: How to integrate applications with the RSA Cloud Authentication Service
Originally Published: 2023-02-15
Article Number
Applies To
RSA Product/Service Type: Cloud Authentication Service
Issue
Tasks
2. Login to the Cloud Administration Console.
3. Navigate to Authentication Clients => Relying Parties => Add a Relying Party.
4. From the Relying Party Catalog, choose Generic OIDC.
5. There are five parts to the configuration, they are addressed in the Resolution section of this article.
Resolution
1. In the Name field, enter a name for the application.
2. (Optional) In the Description field, enter a description for the application.
3. Click Next Step.
Authentication:
1. Choose one of the two options below.
a. Relying Party manages primary authentication, and SecurID manages additional authentication
b. SecurID manages all authentication
2. If option 1a is selected, only the Access Policy for Additional Authentication is needed.
3. If option 1b is selected, both the Primary Authentication Method and Access Policy for Additional Authentication are needed.
4. Click Next Step.
Connection Profile:
1. Note the Authorization Server Issuer URL.
2. (Optional) In the Redirect URL field, enter the location the Authorization Server will redirect users to after successful authentication.
3. In the Client ID field, enter the Unique Identifier for the application.
4. If Client Authentication is requested, the below section needs to be configured.
Authorization Code Flow:
1. In the Client Authentication Method field, choose one of the five options below.
a. Not Selected
b. CLIENT_SECRET_BASIC
c. CLIENT_SECRET_POST
d. CLIENT_SECRET_JWT
e. PRIVATE_KEY_JWT
2. If option 1a is selected, the Implicit Flow is enforced.
3. In the Client Secret field, enter the Secret known only to the application and the Authorization Server.
4. (Optional) Add Custom Claims, if needed by the Relying Party.
5. Click Next Step.
Consent:
1. Relying Parties can request authorization to access users' information or perform some action at an API on their behalf.
2. (Optional) Add Consent Claims, to control the consent form presented to the user after authentication.
3. Click Save and Finish.
4. Click Publish Changes.
The RSA Authorization Server Endpoints:
1. Issuer: https://<tenant_URL>/oidc-fe
2. Authorization: https://<tenant_URL>/oidc-fe/auth
3. Token: https://<tenant_URL>/oidc-fe/token
4. JWKS: https://<tenant_URL>/oidc-fe/keys
5. UserInfo: https://<tenant_URL>/oidc-fe/userinfo
6. Discovery: https://<tenant_URL>/oidc-fe/.well-known/openid-configuration
7. The tenant_URL is the RSA Cloud Authentication Service tenant part of the Authorization Server Issuer URL noted in the Connection Profile. For example, if the Issuer is https://x.auth-demo.com/oidc-fe, the tenant_URL is https://x.auth-demo.com.
Notes
