Set up Digital Access component as OpenID Connect relying party

This article is valid for Smart ID 20.11 and later.

OpenID Connect is a federation technology, comparable with SAML 2.0, that is implemented as an identity layer on top of the OAuth 2.0 protocol.

This article describes how to set up Smart ID Digital Access component to use OpenID Connect as an authentication method. In other words, it describes how to connect Digital Access component to an external Identity Provider (IdP) that supports OpenID Connect, for example Google, or several electronic identities, such as Norwegian BankID and Verimi.

Digital Access component has support for the authorization code flow and the implicit flow.

Prerequisites

From the OpenID Connect Identity Provider, have access to:

Client ID
Client Secret
Discovery Endpoint

From the OpenID Connect Identity Provider:

Order your client account and decide on your callback url that looks like this:
https://<hostname>/wa/auth/oauth2

Step-by-step instruction

Log in to Digital Access Admin

Log in to Digital Access Admin with an administrator account.

Add OpenID Connect as authentication method

For more information regarding authentication methods in Digital Access component, see Authentication methods in Digital Access. You can also click the ?-sign in the administration interface for help.

In Digital Access Admin, go to Manage System.
Click Authentication Methods > Add Authentication Method...
Select OpenID Connect and click Next.
Normally, select these two check boxes:
1. Enable authentication method
2. Visible in authentication menu
Enter the Display Name for the Identity Provider, for example "Google".
Enter the Client ID and Client Secret as provided by your identity provider, which in our example is Google.
Enter Discovery Endpoint, a URL provided by your identity provider.
Click Next.

An alternative way, if the Discovery Endpoint cannot be used, is to specify each required endpoint separately, as indicated by the fields below the "Or" in Digital Access Admin.

Follow these steps:

Go to the discovery endpoint URL.
Enter the values found in the URL in the Issuer, Authorization Endpoint and Token endpoint fields.
To find the Verification Key:
1. Find "Jwks uri" in the discovery endpoint.
2. Go to this uri.
3. Copy the complete content to the field Verification Key.

Add extended properties

In Digital Access Admin, go to Manage System > Authentication Methods.
Select the OpenID Connect method that you configured before.
Go to the Extended Properties tab.
Click Scopes. Specify the scopes based on what the external Identity Provider is supporting and which information that shall be returned about the authenticated user.
Click Display Name Claim. Choose any claim returned by the external Identity Provider to be used as Display Name. If the selected claim is not available in the response, the authentication will fail.
Click User ID Claim. Choose any claim returned by the external Identity Provider to be used as User ID. If the selected claim is not available in the response, the authentication will fail.
Set Allow user not listed in any User storage to "True" to allow other users that those listed in the user storage (for example, LDAP) to have access.
Click Add Extended Property... and add extended properties as required. Click the ?-sign for help.

Make sure that Hybrid Access Gateway trusts the certificate behind the discovery endpoint

Digital Access component must trust the certificate behind the discovery endpoint.

Follow these steps:

Open the Discovery endpoint URL in any browser.
Example in Chrome:
1. In the browser, click on "Secure" or the green lock.
2. Click Certificate.
3. Find the certificate and the "issuer CA" of the certificate that you want to trust in the hierarchy -> Details -> Copy to file, file format is .cer.
Add the CA certificate, according to the information in Add certificates in Digital Access.

Step-by-step instruction

Related information