Skip to main content
Skip table of contents

Set up Digital Access component as OpenID provider

This article is valid for Smart ID 20.06 and later.

This article describes how to add and set up Smart ID Digital Access component as an OpenID provider.

Prerequisites

DNS names

  1. Add DNS names for the access point, see Global resource settings in Digital Access.

SSL server certificate

  1. Install an SSL server certificate matching the DNS name used for OpenID Connect endpoints. See heading "Add server certificate" in Add certificates. The same DNS name must also be used as OpenID Connect Issuer. The certificate must have the key usage digital_signature

Install CA certificates

  1. CA certificates are used for verifying the signing certificate of requests and replies. See heading "Add certificate authority" in Add certificates in Digital Access.

Authentication method

  1. At least one authentication method must have been configured. See Set up authentication method in Digital Access.

Step-by-step instruction

Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.
Enable OpenID Connect
  1. In Digital Access Admin, go to Manage System.
  2. Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
  3. Check Enable OAuth2 and check Enable OpenID Connect Provider.
Configure endpoints

OpenID Connect specifies different endpoints that a relying party will be able to contact. The Digital Access component supports the following endpoints:

  • Authorization Endpoint
  • Token Endpoint
  • User Info Endpoint
  • Discovery Endpoint

Each endpoint is based on an Issuer value that needs to be configured:

  1. In Digital Access Admin, go to Manage System.
  2. Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
  3. In OpenID Issuer, enter a DNS name that points to the Digital Access component and that was configured in Global resource settings section.

    The field value must start with https:// and end without an ending /

  4. In IDP Certificate, select the SSL certificate that shall be used for communication between the OpenID provider and the relying party. 
  5. Select the Hash Algorithm.
  6. Click Save.

All endpoints are preconfigured and enabled together with the OpenID Connect feature. Based on the OpenID Issuer provided, the endpoints looks like this:

EndpointValue
Authorization Endpointhttps://<OpenID Issuer>/https/api/rest/v3.0/oauth/authorize
Token Endpointhttps://<OpenID Issuer>/https/api/rest/v3.0/oauth/token
User Info Endpointhttps://<OpenID Issuer>/https/api/rest/v3.0/oauth/userinfo
JWKS URIhttps://<OpenID Issuer>/https/api/rest/v3.0/oauth/jwks

Instead of configuring each endpoint in the relying party separately, the Digital Access component supports a Discovery URL. 

Discovery URLhttps://<OpenID Issuer>/https/api/rest/v3.0/oauth/<client id>/.well-known/openid-configuration

Each client (relying party) will have its own Discovery URL. The client id is therefore part of the URL.

Configure scopes

Scopes are the permissions a client is allowed to ask for. The scope name is mapped to a description that will be shown to the user on the consent page.

To configure scopes in the Digital Access component:

  1. In Digital Access Admin, go to Manage System.
  2. Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
  3. Click Add scope.
  4. Enter the name of the scope in Name.

When the end-user is asked for consent to share the piece of information related to the scope, the end-user will see an explaining text. To add this text:

  1. Enter a name of the description in Key
  2. Enter a describing text for that scope in Value.

    The description of a scope defines what will be shown to the resource owner when asked to grant a client permission to use this scope. If no branding has been applied, the default description to be shown will be the first one added

Configure attribute groups

Scopes are not directly related to a piece of information from the user. They are only describing one or more pieces of information requested by the relying party. To connect the scopes with user information (claims), you configure Attribute Groups

  1. In Digital Access Admin, go to Manage System.
  2. Click OpenID Connect (OAuth2) Configuration > Manage Global OpenID Connect (OAuth2) Configuration Settings.
  3. Click Add Attribute Group.
  4. Define a Group Name.
  5. Register one or several attributes that should be part of the attribute group. 
    1. Enter a Friendly Name. The friendly name is used as a name of the claim. 
    2. Define the Source the user information is taken from. 

      When using the option "User Storage, Custom", the User Storage is first searched. If no value is found, the Digital Access component's Account's "Custom Attributes" are searched. See 'help' for further explanation. 

    3. Specify the Value

      If this field is left empty, then the Friendly Name is used when reading value from the Source. If Source is set to "Static Value" then the content of this field is used as the value.

    4. Click Add Attribute.
  6. After all attributes have been added, click Save.
Add a client (relying party)
  1. In Digital Access Admin, go to Manage System.
  2. Click OpenID Connect (OAuth2) Configuration.
  3. Click Add client.
  4. Provide a readable name as Display Name.
  5. Check if 
    1. Refresh Tokens should be issued.
    2. The user needs to be asked for consent.
    3. OpenID Connect should be enabled for that client.

      Since OpenID Connect is built on top of OAuth 2.0, you can use Digital Access Admin to configure both: OpenID providers and OAuth 2.0 identity providers.

  6. If consent is required, the template to the consent page has to be provided. The default value is /wa/oauth2/consent.html.
    You can create your own template per client and refer to it. Together with the key/value pair of the scope, each client may have its own (multi-language) scope description. 
  7. Provide or Generate Client ID and Client Secret or select a Client Certificate for authenticating OpenID Connect requests. 
  8. Select the Source of subject as well as the Encoding method
  9. Each client (relying party) has to provide a Redirect URI resp. callback URL that the Digital Access component will send the response to.
    During the authentication request, the client will send the redirect URI as a parameter. This value must match one of the configured URIs, otherwise the authentication request will fail.
  10. On the Privileges tab, you can configure the supported Grand Types and Scopes used for each client. For each Selected Scope, on the Scope Mapping tab, you will find a drop-down menu to select the corresponding Attribute Group.
    The user information configured in the selected Attribute Group will be returned as claims if the relying party requests access to the corresponding scope. An Attribute Group can have one or several claims configured. 

    The scope profile usually contains several claims, such as firstname, lastname, email address and more. 

  11. On the Access Rules tab, select the access rules that should be applied for the client when using the /authorize endpoint. For more information about access rules, see Access rules in Digital Access.

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.