How to configure PhenixID Authentication Services as an OpenIDConnect Provider (OP) - using Implicit Flow
This document describes how to setup PhenixID Authentication Services as an OpenIDConnect Provider (OP) using OIDC Implicit Flow, using Advanced configuration mode.
It is recommended to use a scenario to setup this configuration.
It is recommeded to read through this document before you start to configure the service.
Add keystore, relying party trust configuration and authorization endpoint
Follow these instructions:
Add authorization pipe
Add pipe for authorization.
NB! This exact configuration may not suit your environment depending on authentication methods, user database query requirements etc. Make sure to change the configuration below to suite your environment:
- LDAP base_dn, filter_template, connection_ref
- JWT keystore reference
- JWT claims
- access_token (only applicable for cases where response_type includes token)
{
"id": "PipeOIDCAuthorization",
"valves": [
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "MyAD",
"base_dn": "ou=demo,DC=demo,DC=phenixid,DC=net",
"scope": "SUB",
"size_limit": "0",
"filter_template": "sAMAccountName={{request.username}}",
"attributes": "sn,givenName,mail"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "response_type",
"value": "{{request.response_type}}"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "state",
"value": "{{request.state}}"
}
},
{
"name": "GenerateJWTTokenVavle",
"config": {
"subjectattribute": "{{request.username}}",
"keystore": "bhull",
"tokenattributes": [
{
"name": "nonce",
"value": "{{request.nonce}}"
},
{
"name": "aud",
"value": "{{request.client_id}}"
},
{
"name": "iss",
"value": "https://demo.phenixid.net"
},
{
"name": "amr",
"value": "pwd"
},
{
"name": "given_name",
"value": "{{item.givenName}}"
},
{
"name": "family_name",
"value": "{{item.sn}}"
}
]
}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}",
"_comment" : "Only needed if response_type includes token"
}
},
{
"name": "UUIDCreateValve",
"enabled": "true",
"config": {
"name": "access_token",
"_comment" : "Only needed if response_type includes token"
}
},
{
"name": "SessionClearAllAliasValve",
"config": {
"_comment" : "Only needed if response_type includes token"}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.access_token}}",
"_comment" : "Only needed if response_type includes token"
}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "redirect_uri,state,id_token,response_type,access_token"
}
}
],
"created": "2017-11-13T09:53:46.595Z"
}