Add an OIDC Relying Party

Cloud Authentication Service can act as the authorization server for a generic OpenID Connect (OIDC) relying party application. OIDC manages primary authentication, and the Cloud Authentication Service manages additional authentication.

Before you begin

  • You must be a Super Admin in the Cloud Administration Console.

  • Know which access policy to use for additional authentication.

Step 1: Enter Basic Information

  1. In the Cloud Administration Console, click Authentication Clients > Relying Parties > Add a Relying Party.

  2. In the Relying Party Catalog, click Add corresponding to Generic OIDC.

  3. In the Basic Information tab, enter a name and description (optional) for the OIDC application.

  4. Click Next Step.

Step 2: Configure Authentication Management

In the Authentication tab, do the following:

  1. If you want the Cloud Authentication Service to manage only additional authentication, select Service provider manages primary authentication, and SecurID manages additional authentication.

    If you want the Cloud Authentication Service to manage both primary and additional authentication select SecurID manages all authentication.

    Primary authentication (for example, password) is the initial identifying information of the user that is requesting access to the application.

  2. If the Cloud Authentication Service is managing primary authentication, in the Primary Authentication Method drop-down list, select the authentication method to use.

    Note: If you select FIDO, note that users cannot complete registration when authenticating for the first time with a FIDO authenticator as a primary authentication method. Be sure that users can first complete registration by accessing an application or My Page that requires FIDO as additional authentication. Users can then use FIDO as primary authentication for this application.

  3. In the Access Policy for Additional Authentication drop-down list, select the access policy to request from OIDC.

  4. Click Next Step.

Step 3: Enter the Connection Profile

Specify the connection information for the Cloud Authentication Service as the provider and the OIDC as the relying party.

  1. (Optional) If you specify a URL in the Redirect URL field, the response will be redirected to this URL. Otherwise, it will be redirected to the URL specified in the request. If the URL provided in the request does not match with the URL provided in the Redirect URL field, it will be rejected.

  2. In the Client ID field, provide the unique ID that identifies the configuration in both the Cloud Authentication Service and OIDC. If you change this ID after you copy the metadata to OIDC, update the custom control with the change.

  3. In the Client Authentication Method drop-down list, select an authentication method.

  4. In the Client Secret field, enter a secret in the corresponding format for use by the client.

  5. Define the custom claims.

    Field Description
    Name Name of the claim.

    Source

    Select the source.

    • Identity Source sends a user attribute from the identity source.

    • Constant sends a static string, for example, the name of the application.

    Property Select a property if the Source is Identity Source or specify a property if Source is Constant.
    Scope Select the scope as ID Token or User info to identify the scope of the OIDC request for which the attribute is provided.
    Essential Select this check box to return the value of the claim even if it is not requested.

Step 4: Configure User Consent Form

When the user is authenticated through the relying party and the relying party requests authorization to access the user's information or perform some action at an API on their behalf, user will see the consent form that is configured in the Consent Claims field. Use this form to provide details about the claims that will be returned.

  1. Click Save and Finish.
  2. (Optional) To publish this configuration and immediately activate it, click Publish Changes.
    You must publish the configuration before the relying party can make use of the metadata.