RP Broker

This scenario will create an authenticator that acts as a OIDC Relying party and delegates authentication to a trusted OpenID Provider. This OP can be internal (hosted at the same PAS instance) or external. 


This scenario requires you to first complete the guide scenario "OIDC -- Relying party" with the "Allowed Redirect URIs" containing the URL that this authenticator will be available at. The URL this authenticator is available at depends on what it will be used to provide authentication for. For example, if you wish to provide authentication for your SAML IdP with the id "my_saml_idp_id" the allowed redirect URIs will need to contain "https://yourpasdomain.com/authentication/saml/my_saml_idp_id/login". 

You will also need to deploy the module "OIDC Discovery" see the solution document "Open ID discovery - com.phenixidentity~phenix-oidc-discovery" to achieve this. This is required even if the target OP is internal.

Name and Description

Input the name and description of your authenticator scenario


Here you enter an alias for your authenticator, which is a more user friendly version of the authenticator's ID (which is a random, auto generated UUID string).

OpenID Provider

Then select the OpenID Provider the authenticator should send its authentication requests to. For an OpenID Provider to show up in this selection, it needs to be found via OIDC discovery. See the "prerequisites" section here -- you need to set up OIDC Discovery here (even if the OP is internal). 

Select relying party

Here, you just select the OIDC Relying party you created prior to this guide. See the "prerequisites" section for the specific requirements.

The result

Upon finishing the guide scenario, you will be met with an edit page where you can adjust additional settings. For example you can select if PKCE should be used, if nonce should be used, and if userinfo lookup should be done. You can also see the "execution flow" tab where you can adjust the pipes and valves created in the scenario.