OIDC: How to integrate applications with the RSA Cloud Authentication Service
2 years ago
Originally Published: 2023-02-15
Article Number
000068102
Applies To
RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
Issue
This article provides an overview on the needed configurations to integrate OAuth/OIDC applications as Relying Parties to the RSA Cloud Authentication Service.
 
Tasks
1. You must be a Super Administrator for the Cloud Authentication Service to perform this task.

2. Login to the Cloud Administration Console.

3. Navigate to Authentication Clients => Relying Parties => Add a Relying Party.

4. From the Relying Party Catalog, choose Generic OIDC.

5. There are five parts to the configuration, they are addressed in the Resolution section of this article.

image.png
 
 
Resolution
Basic Information:
 1. In the Name field, enter a name for the application.

 2. (Optional) In the Description field, enter a description for the application.

 3. Click Next Step.

Authentication:
 1. Choose one of the two options below.
  a. Relying Party manages primary authentication, and SecurID manages additional authentication
  b. SecurID manages all authentication

 2. If option 1a is selected, only the Access Policy for Additional Authentication is needed.

 3. If option 1b is selected, both the Primary Authentication Method and Access Policy for Additional Authentication are needed.

 4. Click Next Step.

Connection Profile:
 1. Note the Authorization Server Issuer URL.

 2. (Optional) In the Redirect URL field, enter the location the Authorization Server will redirect users to after successful authentication.

 3. In the Client ID field, enter the Unique Identifier for the application.

 4. If Client Authentication is requested, the below section needs to be configured.

Authorization Code Flow:
 1. In the Client Authentication Method field, choose one of the five options below.
  a. Not Selected
  b. CLIENT_SECRET_BASIC
  c. CLIENT_SECRET_POST
  d. CLIENT_SECRET_JWT
  e. PRIVATE_KEY_JWT

 2. If option 1a is selected, the Implicit Flow is enforced. 

 3. In the Client Secret field, enter the Secret known only to the application and the Authorization Server.

 4. (Optional) Add Custom Claims, if needed by the Relying Party.

 5. Click Next Step.

Consent:
 1. Relying Parties can request authorization to access users' information or perform some action at an API on their behalf.

 2. (Optional) Add Consent Claims, to control the consent form presented to the user after authentication.

 3. Click Save and Finish.

 4. Click Publish Changes.

The RSA Authorization Server Endpoints:
 1. Issuer: https://<tenant_URL>/oidc-fe

 2. Authorization: https://<tenant_URL>/oidc-fe/auth

 3. Token: https://<tenant_URL>/oidc-fe/token

 4. JWKS: https://<tenant_URL>/oidc-fe/keys

 5. UserInfo: https://<tenant_URL>/oidc-fe/userinfo

 6. Discovery: https://<tenant_URL>/oidc-fe/.well-known/openid-configuration

 7. The tenant_URL is the RSA Cloud Authentication Service tenant part of the Authorization Server Issuer URL noted in the Connection Profile. For example, if the Issuer is https://x.auth-demo.com/oidc-fe, the tenant_URL is https://x.auth-demo.com.
 
Notes
The Discovery URL https://<tenant_URL>/oidc-fe/.well-known/openid-configuration can be accessed to gain more information on the RSA Authorization Server in terms of supported Claims, ID Token Signature Algorithms, PKCE challenge methods, etc.

Related Articles

Trending Articles

Don't see what you're looking for?