Set up Digital Access component as OpenID provider
This article describes how to add and set up Smart ID Digital Access component as an OpenID provider.
DNS names
- Add DNS names for the access point, see Global resource settings in Digital Access.
SSL server certificate
- Install an SSL server certificate matching the DNS name used for OpenID Connect endpoints. See heading "Add server certificate" in Add certificates. The same DNS name must also be used as OpenID Connect Issuer. The certificate must have the key usage digital_signature.
Install CA certificates
- CA certificates are used for verifying the signing certificate of requests and replies. See heading "Add certificate authority" in Add certificates in Digital Access.
Authentication method
- At least one authentication method must have been configured. See Set up authentication method in Digital Access.
Step-by-step instruction
- Log in to Digital Access Admin with an administrator account.
- In Digital Access Admin, go to Manage System.
- Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
- Check Enable OAuth2 and check Enable OpenID Connect Provider.
OpenID Connect specifies different endpoints that a relying party will be able to contact. The Digital Access component supports the following endpoints:
- Authorization Endpoint
- Token Endpoint
- User Info Endpoint
- Discovery Endpoint
Each endpoint is based on an Issuer value that needs to be configured:
- In Digital Access Admin, go to Manage System.
- Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
In OpenID Issuer, enter a DNS name that points to the Digital Access component and that was configured in Global resource settings section.
The field value must start with
https://
and end without an ending/
- In IDP Certificate, select the SSL certificate that shall be used for communication between the OpenID provider and the relying party.
- Select the Hash Algorithm.
- Click Save.
All endpoints are preconfigured and enabled together with the OpenID Connect feature. Based on the OpenID Issuer provided, the endpoints looks like this:
Endpoint | Value |
---|---|
Authorization Endpoint | https://<OpenID Issuer>/https/api/rest/v3.0/oauth/authorize |
Token Endpoint | https://<OpenID Issuer>/https/api/rest/v3.0/oauth/token |
User Info Endpoint | https://<OpenID Issuer>/https/api/rest/v3.0/oauth/userinfo |
JWKS URI | https://<OpenID Issuer>/https/api/rest/v3.0/oauth/jwks |
Instead of configuring each endpoint in the relying party separately, the Digital Access component supports a Discovery URL.
Discovery URL | https://<OpenID Issuer>/https/api/rest/v3.0/oauth/<client id>/.well-known/openid-configuration |
Each client (relying party) will have its own Discovery URL. The client id is therefore part of the URL.
Scopes are the permissions a client is allowed to ask for. The scope name is mapped to a description that will be shown to the user on the consent page.
To configure scopes in the Digital Access component:
- In Digital Access Admin, go to Manage System.
- Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
- Click Add scope.
- Enter the name of the scope in Name.
When the end-user is asked for consent to share the piece of information related to the scope, the end-user will see an explaining text. To add this text:
- Enter a name of the description in Key.
Enter a describing text for that scope in Value.
The description of a scope defines what will be shown to the resource owner when asked to grant a client permission to use this scope. If no branding has been applied, the default description to be shown will be the first one added
Scopes are not directly related to a piece of information from the user. They are only describing one or more pieces of information requested by the relying party. To connect the scopes with user information (claims), you configure Attribute Groups.
- In Digital Access Admin, go to Manage System.
- Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
- Click Add Attribute Group.
- Define a Group Name.
- Register one or several attributes that should be part of the attribute group.
- Enter a Friendly Name. The friendly name is used as a name of the claim.
Define the Source the user information is taken from.
When using the option "User Storage, Custom", the User Storage is first searched. If no value is found, the Digital Access component's Account's "Custom Attributes" are searched. See 'help' for further explanation.
Specify the Value.
If this field is left empty, then the Friendly Name is used when reading value from the Source. If Source is set to "Static Value" then the content of this field is used as the value.
- Click Add Attribute.
- After all attributes have been added, click Save.
- In Digital Access Admin, go to Manage System.
- Click OpenID Connect (OAuth2) Configuration.
- Click Add client.
- Provide a readable name as Display Name.
- Check if
- Refresh Tokens should be issued.
- The user needs to be asked for consent.
OpenID Connect should be enabled for that client.
Since OpenID Connect is built on top of OAuth 2.0, you can use Digital Access Admin to configure both: OpenID providers and OAuth 2.0 identity providers.
- If consent is required, the template to the consent page has to be provided. The default value is
/wa/oauth2/consent.html
.
You can create your own template per client and refer to it. Together with the key/value pair of the scope, each client may have its own (multi-language) scope description. - Provide or Generate Client ID and Client Secret or select a Client Certificate for authenticating OpenID Connect requests.
- Select the Source of subject as well as the Encoding method.
- Each client (relying party) has to provide a Redirect URI resp. callback URL that the Digital Access component will send the response to.
During the authentication request, the client will send the redirect URI as a parameter. This value must match one of the configured URIs, otherwise the authentication request will fail. On the Privileges tab, you can configure the supported Grand Types and Scopes used for each client. For each Selected Scope, on the Scope Mapping tab, you will find a drop-down menu to select the corresponding Attribute Group.
The user information configured in the selected Attribute Group will be returned as claims if the relying party requests access to the corresponding scope. An Attribute Group can have one or several claims configured.The scope
profile
usually contains several claims, such as firstname, lastname, email address and more.- On the Access Rules tab, select the access rules that should be applied for the client when using the
/authorize
endpoint. For more information about access rules, see Access rules in Digital Access.
Related information
- Access rules in Digital Access
- Add certificates in Digital Access
- Global resource settings in Digital Access
- Set up authentication method in Digital Access