RapidIdentity Product Guide

OpenID Connect (OIDC)

Starting with versions 2020.1.3 (for on-premise systems) and 2020.11.18 (for RapidIdentity Cloud), RapidIdentity can function as an OpenID Connect Relying Party. Previously, RapidIdentity only supported acting as an OpenID Connect Provider. This functionality may or may not be available within your specific deployment, as this feature is not yet enabled by default.

To identify whether your deployment supports this functionality, navigate to the Configuration module. This feature is active if the Login Configurations item in the Security section is visible; if the feature is not active, the Service Providers option will be visible instead. The Login Configurations feature replaces the Service Provider functionality to support either SAML or OpenID Connect.

Note

If you do not have the Login Configurations item, contact Identity Automation Support to enable this feature.

Config_module_identify_feature-sm.png

No action is required to transition from an existing, configured Service Provider configuration to a new Login Configuration; the Service Provider configuration will be migrated to SAML Login Configurations upon first startup with the feature activated. After this migration from Service Providers to Login Configurations, you should see no lapse in SSO functionality.

OIDC IdP Configuration

The Automatic/Quick Configuration for setting up an Identity Provider configuration will continue to work with either the old Service Providers functionality or the new Login Configurations functionality. Using the Automatic Configuration with this new feature will create the following:

  • An Identity Provider Configuration

  • A SAML2.0 Federation Partner Configuration

  • A SAML 2.0 Login Configuration

  • An active SAML SSO setup

Setting up a SAML 2.0 Login Configuration

Setting up a SAML 2.0 Login Configuration assumes that a RapidIdentity Identity Provider has already been set up and activated. Automatic configuration is recommended, but the manual process is as follows:

  1. Navigate to Configuration > Security > Login Configurations.

  2. Click Add Login Config and select SAML 2.0.

    Login_Config_SAML.png

  3. Give the login configuration a unique name and optional description.

    SAML_1.png

  4. Assign the Service Provider Details. Entity ID is the base URL of the RapidIdentity server (e.g., https://<domain>/), and Domain is the listed domain of the RapidIdentity server. In many cases, these values will auto-populate.

    SAML_2.png

  5. Provide the Identity Provider Details.

    IdP_Details.png
    Table 286. Identity Provider Details Fields

    Field

    Description

    Entity ID

    If RapidIdentity is the Identity Provider, this will be https://<domain>/idp.

    Binding

    This is assigned automatically, as RapidIdentity only supports HTTP-Redirect for SAML Binding.

    Login URL

    This is the URL where users will go to log in.

    Note

    If RapidIdentity is the Identity Provider, this will be https://<domain>/idp/profile/SAML2/Redirect/SSO.

    Signature Validation Keys

    These should be the X509 Certificate PEM string(s) for the Identity Provider Signing Certificate.

    Note

    If RapidIdentity is the Identity Provider, the PEM string can be downloaded from Configuration > Identity Providers > IDP Configuration. Copy the contents of the .pem file to the text area.

    Logout Redirect URL

    The URL where the users will be directed to upon logout.

    Note

    If RapidIdentity is the Identity Provider, this will be https://<domain>/idp/logout.



  6. If desired, assign Metadata. This is not required, but can provide contact information for troubleshooting.

    Metadata.png

  7. When complete, click Save. The SAML 2.0 Login Configuration has been created, but is not yet active. To activate, we will first need to configure a SAML 2.0 Federation Partner.

Federation Partners for OIDC

To activate the newly configured SAML 2.0 Login Configuration, we'll need to set it up as a Federation Partner.

  1. Navigate to Configuration > Security > Identity Providers > Federation Partners.

    Federation_Partners_1.png

  2. Click Add Federation Partner and select SAML 2.0.

    Add_Fed_Partner.png

  3. Click Create SAML Relying Party from the next menu.

    Create_SAML_RP.png

  4. Give the Federation Partner a unique name and optional description.

    For the Metadata, open RapidIdentity in a new tab and navigate to Configuration > Security > Login Configurations, then click Edit on the line of the newly created configuration. Copy the Metadata from the provided field and paste that content into the Metadata field for the Federation Partners.

  5. After pasting in the Metadata, expand the SSO Settings and ensure the following are set:

    • Set Include SAML2 Attribute Statement to true (checked)

    • The Hours, Minutes, Seconds field can be left at the default of 5 minutes

    • The NotBefore Skew field can be left at the default of 0 seconds

    • Set Sign SAML2 SSO Response to Always

    • Set Sign SAML2 SSO Assertions to Never

    • Set Encrypt SAML2 SSO Assertions to Never

    • Set Encrypt SAML2 SSO Name IDs to Never

    • Leave Signature Algorithm at the default of RSA SHA-256

    • Set Skip Endpoint Validation When Signed to true (checked)

    • Leave Enabled ECP Settings at the default of false (unchecked)

    Click Save.

  6. After saving, you should be presented with a new area in the Federation Partner Configuration: Attribute Mapping. Expand this section.

    Attribute_Mapping.png

    1. Select the [INTERNAL] idautoID attribute and click Permit.

    2. Click Save again.

  7. Click Trigger Service Reload in the bottom Action Bar to activate these changes. Everything should now be in place to activate your SAML SSO.

  8. Navigate back to Configuration > Security > Login Configurations and select the new configuration. Click Toggle Active from the bottom Action Bar, and you'll notice the mark next to the configuration turn green, indicating that it's active.

    Toggle_Active.png

  9. SSO via SAML should now be working.

    Note

    Testing should be performed in an Incognito browser window, or a different browser, so that if anything is not working, the Login Configuration can be re-configured or toggled inactive while it is being fixed.

Setting up an OIDC Login Configuration

Note

This procedure assumes that a RapidIdentity Identity Provider has already been configured and activated.

  1. Navigate to Configuration > Identity Providers > Federation Partners.

  2. Click Add Federation Partner and select OpenID Connect.

    Add_Fed_Partner.png

  3. Give the Federation Partner a unique name.

  4. Set the Callback URLs. If RapidIdentity is the Relying Party, the callback URL will be https://<domain>/oidc/callback.

    Note

  5. Leave other settings at their defaults, and scroll down to the Claim Attributes section. Click Add Claim Attribute.

    Add_Claim_Attribute.png

  6. This will open a popout sidebar to configure the claim. At a minimum, one claim is needed that can be used to uniquely identify an authenticating user.

    Add_Claim_Attribute_Sidebar.png

    1. Give the Claim Attribute a Name and optional description.

    2. Set the Claim as the claim attribute that OpenID Connect will use to uniquely identify an authenticating user, e.g., email or id.

    3. Set the Claim Type as the claim value. This should represent the type of data passed through the claim attribute, e.g., if email, this would be String.

    4. Set the Attribute Value Type. In most cases, this will be LDAP.

    5. Set the LDAP Attribute, which is the backing LDAP attribute that should uniquely identify an authenticating user, e.g., mail or idautoID.

    6. If the attribute in question only supports a single value, check Single Valued.

  7. Click Save. Your OpenID Connect Federation Partner should have been successfully created.

  8. Click Trigger Service Reload in the bottom Action Bar to activate the new changes.

  9. Once again, navigate to Configuration > Security > Login Configurations. Click on Add Login Config and choose OpenID Connect.

    Login_Config_OpenID_Connect.png

  10. Give the Login Configuration a unique name and optional description.

    Login_Config_Create_New_-_General.png

  11. Assign the Relying Party Details. These are provided by the Identity Provider. If RapidIdentity is the Identity Provider, these are generated on the Federation Partners page.

    Relying_Party_Details.png

    1. The Client ID is generated on the Federation Partner. Open that Federation Partner configuration in another tab and copy its Client ID field.

    2. The Client Secret is generated on the Federation Partner. Open that Federation Partner configuration in another tab and copy its Client Secret field.

  12. Assign the OpenID Provider Details.

    OpenID_Provider_Details2.png

    1. Set Issuer.

      Note

      If RapidIdentity is the Identity Provider, than this will be https://<domain>/idp.

    2. Set the Logout Redirect URL.

      Note

      If RapidIdentity is the Identity Provider, then this will be https://<domain>/idp/logout.

    3. Set the Authorization Endpoint.

      Note

      If RapidIdentity is the Identity Provider, then this will be https://<domain>/idp/profile/oidc/auth.

    4. Set the Token Endpoint.

      Note

      Ensure that port 8443 is specified when the IdP is RapidIdentity. If RapidIdentity is the Identity Provider, then this will be https://<domain>:8443/idp/profile/oidc/token.

    5. Set Validate Token Signature to true (checked).

      1. The Signature Validation Key should be the signing Public Key PEM string for the Identity Provider. If RapidIdentity is the Identity Provider, the PEM string can be downloaded from Configuration > Identity Providers > IdP Configuration > Download the certificate used by the Identity Provider.

  13. Optionally, assign Claims.

    Claims_Section.png

    1. The Identifier Claim should match the value configured in the Federation Partner claim. If this is not specified, the value will be populated with email.

    2. The Lookup Attribute should match the LDAP attribute configured in the Federation Partner claim. If not specified, the value will be populated with the LDAP attribute that is configured for User Settings > Email Address Attribute.

  14. Click Save. Everything should now be in place to activate the OpenID Connect SSO.

  15. Navigate back to Configuration > Security > Login Configurations and select the new SSO. Click Toggle Active from the bottom action bar, and the check mark next to your selection should turn green to denote that it is active.

  16. SSO via OpenID Connect should now be working.

    Note

    Testing should be performed in an Incognito browser window, or a different browser, so that if anything is not working, the Login Configuration can be re-configured or toggled inactive while it is being fixed.

Toggling Login Configurations

To determine which Login Configuration will be set to active, navigate to Configuration > Security > Login Configurations and select the desired configuration setup.

Toggle_Login_Configs.png

  • Only one login configuration may be active at a time.

  • If a login configuration is selected and toggled with no login configurations active, that configuration will be activated.

  • If you toggle an active login configuration, it will be deactivated.

  • If you toggle an inactive login configuration while another configuration is active, the active configuration will be deactivated and the selected configuration will be activated.

In this section: