This article describes how to set up Nexus Hybrid Access Gateway to use OpenID Connect as an authentication method. In other words, it describes how to connect Hybrid Access Gateway to an external Identity Provider (IdP) that supports OpenID Connect, for example Google, or several electronic identities, such as Norwegian BankID and Verimi.
Hybrid Access Gateway has support for the authorization code flow and the implicit flow.
From the OpenID Connect Identity Provider, have access to:
- Client ID
- Client Secret
- Discovery Endpoint
From the OpenID Connect Identity Provider:
- Order your client account and decide on your callback url that looks like this:
- Log in to the Hybrid Access Gateway administration interface with your admin user.
For more information regarding authentication methods in Hybrid Access Gateway, see Authentication methods. You can also click the ?-sign in the administration interface for help.
- In the Hybrid Access Gateway administration interface, go to Manage System.
- Click Authentication Methods > Add Authentication Method...
- Select OpenID Connect and click Next.
- Normally, select these two check boxes:
- Enable authentication method
- Visible in authentication menu
- Enter the Display Name for the Identity Provider, for example "Google".
- Enter the Client ID and Client Secret as provided by your identity provider, which in our example is Google.
- Enter Discovery Endpoint, a URL provided by your identity provider.
- Click Next.
An alternative way, if the Discovery Endpoint cannot be used, is to specify each required endpoint separately, as indicated by the fields below the "Or" in the Hybrid Access Gateway administration interface.
Follow these steps:
- Go to the discovery endpoint URL.
- Enter the values found in the URL in the Issuer, Authorization Endpoint and Token endpoint fields.
- To find the Verification Key:
- Find "Jwks uri" in the discovery endpoint.
- Go to this uri.
- Copy the complete content to the field Verification Key.
- In the Hybrid Access Gateway administration interface, go to Manage System > Authentication Methods.
- Select the OpenID Connect method that you configured before.
- Go to the Extended Properties tab.
- Click Scopes. Specify the scopes based on what the external Identity Provider is supporting and which information that shall be returned about the authenticated user.
- Click Display Name Claim. Choose any claim returned by the external Identity Provider to be used as Display Name. If the selected claim is not available in the response, the authentication will fail.
- Click User ID Claim. Choose any claim returned by the external Identity Provider to be used as User ID. If the selected claim is not available in the response, the authentication will fail.
Set Allow user not listed in any User storage to "True" to allow other users that those listed in the user storage (for example, LDAP) to have access.
Click Add Extended Property... and add extended properties as required. Click the ?-sign for help.
Hybrid Access Gateway must trust the certificate behind the discovery endpoint.
Follow these steps:
- Open the Discovery endpoint URL in any browser.
- Example in Chrome:
- In the browser, click on "Secure" or the green lock.
- Click Certificate.
- Find the certificate and the "issuer CA" of the certificate that you want to trust in the hierarchy -> Details -> Copy to file, file format is .cer.
- Add the CA certificate, according to the information in Add certificates.