OpenID Connect – Username, password and PhenixID OneTouch

This authenticator is DEPRECATED. Please setup a SAML Identity Provider with the corresponding authentication method. Connect your OpenID Connect Provider to the SAML IdP using the scenario OIDC->SAML Identity Provider (internal or external).

This authenticator is used for username-password-PhenixID OneTouch authorization in OpenID Connect scenarios.

Configuration Properties

Name Description Default value Mandatory
loginTemplate Template to use for user interface (username and password prompt). login.template No
userNameParamName Name of the username request parameter username No
passworParamterName Name of the password request parameter. password No
pipeID Id of pipe used to validate username and password.   Yes
servicename Service name (will be used in PhenixID OneTouch assignment) PhenixID No
clientTemplate Assignment template file onetouchhtml No
notify Send push notice to client true No
pollingTemplate Template file used to display polling page onetouchpoll.template No
allowedRP Array of relying parties (client_id:s) allowed to use this authorization endpoint   Yes
requireConsent Present consent screen (true/false) to end user. false No
consentTemplate Template file to use for consent oidcconsent No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators 

{
  "id" : "unpwot",
  "alias" : "unpwot",
  "name" : "OIDCUidPasswordOneTouch",
    "configuration" : {
    "pipeID" : "UserLookupAndAuthWithLDAP",
    "allowedRP": [
				"myApp"
			]
  }
}

Pipe 

{
  "id" : "UserLookupAndAuthWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
        "name" : "LDAPBindValve",
        "config" : {
          "connection_ref" : "local_ldap",
          "password_param_name" : "password"
        }
      } ,{
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      },
{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
                "name": "UUIDCreateValve",
                "enabled": "true",
                "config": {
                    "name": "code"
                }
            },
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "state",
					"value": "{{request.state}}"
				}
			},
			{
				"name": "SessionClearAllAliasValve",
				"config": {}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.code}}"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "redirect_uri,state,code"
				}
			}
]
}

 

Database Connection 

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}

Notes

Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.