Add an OIDC Relying Party Add an OIDC Relying Party
Cloud Authentication Service can act as the authorization server for a generic OpenID Connect (OIDC) relying party application. OIDC manages primary authentication, and the Cloud Authentication Service manages additional authentication.
Before you begin
-
You must be a Super Admin in the Cloud Administration Console.
-
Know which access policy to use for additional authentication.
Step 1: Enter Basic Information
-
In the Cloud Administration Console, click Authentication Clients > Relying Parties > Add a Relying Party.
-
In the Relying Party Catalog, click Add corresponding to Generic OIDC.
-
In the Basic Information tab, enter a name and description (optional) for the OIDC application.
-
Click Next Step.
Step 2: Configure Authentication Management
In the Authentication tab, do the following:
-
If you want the Cloud Authentication Service to manage only additional authentication, select Relying Party manages primary authentication, and SecurID manages additional authentication.
If you want the Cloud Authentication Service to manage both primary and additional authentication select SecurID manages all authentication.
Primary authentication (for example, password) is the initial identifying information of the user that is requesting access to the application.
-
If the Cloud Authentication Service is managing primary authentication, in the Primary Authentication Method drop-down list, select the authentication method to use.
Note: If you select FIDO, note that users cannot complete registration when authenticating for the first time with a FIDO authenticator as a primary authentication method. Be sure that users can first complete registration by accessing an application or My Page that requires FIDO as additional authentication. Users can then use FIDO as primary authentication for this application.
-
In the Access Policy for Additional Authentication drop-down list, select the access policy to request from OIDC.
-
Click Next Step.
Step 3: Enter the Connection Profile
Specify the connection information for the Cloud Authentication Service as the provider and the OIDC as the relying party.
-
Provide one or more redirect URLs that the Relying Party can accept in the request and redirect the response to. If the URL provided in the request does not match with the URL provided in the Redirect URL field, it will be rejected.
-
In the Client ID field, provide the unique ID that identifies the configuration in both the Cloud Authentication Service and OIDC. If you change this ID after you copy the metadata to OIDC, update the custom control with the change.
-
In the Client Authentication Method drop-down list, select an authentication method.
-
Click Generate corresponding to the Client Secret field.
-
Select the scope by typing the name. The available scopes will be auto-populated. You can select multiple scopes.
Note: You can configure the scopes on the Manage OIDC Claims and Scopes page.
-
Select the claim by typing the name. The available claims will be auto-populated. You can select multiple claims.
Note: You can manage the scopes on the Manage OIDC Claims and Scopes page.
- Click Save and Finish.
-
(Optional) To publish this configuration and immediately activate it, click Publish Changes.
You must publish the configuration before the relying party can make use of the metadata.