OpenID Provider

Performing this scenario will produce an OpenID Provider (OP) that can be used for user authentication. Be sure to have configured "Keystore" & "Relying party" scenarios, as well as any "Authenticator" scenario prior to executing this scenario. 

Name & Description

Start by giving the scenario a friendly name and description. Then click Next.

Base URL

Then enter the base URL where your PAS instance is available. This is usually the same URL as you are currently at, in the configuration manager. It should not contain any path, meaning it should only contain "" and not "".

Internal tenant ID

Then you will enter the internal identification string for your OIDC OP. This will also be visible as part of your "issuer" id, as well as all your endpoint URLs. This string can be anything as long as it is unique within your configuration. 


Now enter the OIDC Scopes you want to support. "openid" is required, but "profile", "email" and "address" are also common to support. What claims (attributes) these profiles will contain is defined in a later step.


In this step, enter what claims you would like to support, and select which scopes (you may select multiple) these claims should be added to. Each claim is an attribute that should be available in the pipe of your executed authenticator. The "sub" attribute will by default be taken from the identified user at the executed authenticator, but can be overridden if configured to do so.

Each claim for all the scopes you have identified at will be available at the userinfo endpoint, but at this step you can select if a claim should be included in the ID Token too. You may also configure additional parameters like a consent display name and such. 

After you configured each claim, remember to press "add claim" and watch it appear under the "current claims" bulleted list. After you have configured all your claims, press "next".

Allowed relying parties

At this step, select which of the OIDC Relying Parties (RPs) that should be allowed to request authentication via your OP. You configure the relying parties via the "Relying Party" guide scenario, next to this one.


Here you select which authenticator you would like your OIDC OP to use. This will often be a Dispatcher or AuthSelector that can direct the authentication flow further, based on context parameters or user selection, but it can also be any other direct authenticator. You need to set up your authenticator prior to this via the guide scenarios in the "Authenticators" tab.


Then select the keystore you want your OpenID Provider to use. This is what will be used to sign assertions and so on. You can upload your keystore by going through the guide scenario "Keystore" right next to this one.

The result

After clicking "create", your OIDC OP will be created and an edit-page will be visible. There you can configure additional properties, such as when refresh tokens should be issued, what additional audiences the id tokens should include, if PKCE should be enforced, and so on. You can click on "View OP discovery" to see your resulting OP discovery document. OIDC authentication requests can now be sent to <your-base-url>/authentication/oidc/<your-internal-tenant-id>/login

To read more about how it works and how to configure the OIDC OP, please read the article OpenID Provider in PAS 5.1 and beyond .