How to configure PhenixID Authentication Services as an OpenIDConnect Relying Party (RP) consuming an external authentication (OP)

The purpose of this document is to describe how to configure PhenixID server for authentication by consuming an external OpenID Connect Provider Authentication. This document does not cover the integration of the system to be protected.

System requirements

PhenixID Authentication Services 3.2 or later.

Please make sure that you have a current version of phenix-store.json, as this file will be updated when following this instruction.

Configuration

MODULES

The OIDC-discovery module has to be configured. Please add the following configuration to the bucket called MODULES:

{
    "name" : "com.phenixidentity~phenix-oidc-discovery",
    "id" : "oidcdiscovery"
  }
Click to copy

NODE_GROUPS

The OIDC-discovery module has to be loaded. Please add the id of the OIDC-discovery module to the NODE_GROUPS configuration, ex:

"NODE_GROUPS" : [ {
    "name" : "default",
    "description" : "Default node group (created automatically) - all nodes belong to this group",
    "config" : {
      "module_refs" : "oidcdiscovery,312d1763-beaf-4c40-9a3a-f558c3ed79ce,cbb99ad9-6a60-49a0-8256-fc0bec44c6b6"
    },
    "created" : "2019-10-24T07:27:10.312Z",
    "id" : "e72dc2bf-961e-47dd-97ca-216b28f3ec52",
    "modified" : "2019-11-08T16:36:31.713Z"
  } ]
Click to copy

OIDCDISCOVERY

The OIDC OP configuration is consumed by OIDC-Discovery. Please add the following configuration to the bucket called OIDCDISCOVERY. Adjust the configuration as needed.

[ {
    "id" : "ExternalOP",
    "url" : "https://oidc-current.externalop.com/auth/realms/current/.well-known/openid-configuration"
  } ]
Click to copy

AUTHENTICATORS

The “Relying Party”-authenticator is configured with the following configuration. Please adjust the configuration as needed. Use the following documentation as a reference.

The redirectUri value must be distributed to the OpenID Connect Provider admin  (to have it whitelisted).

{
    "alias" : "oidcrp",
    "id" : "oidcrp",
    "name" : "OidcRP",
    "configuration" : {
      "pipeID" : "OIDC-RP-Pipe",
      "successUrl" : "/activateonetouch",
      "redirectUri" : "https://auth.organisation.com/activateonetouch/authenticate/oidcrp",
      "secret" : "provided_by_OP",
      "clientId" : "provided_by_OP",
      "opId" : "ExternalOP",
      "usernameAttribute" : "sub",
      "executeUserInfoLookup" : "false",
      "scope" : "openid"
    }
  }
Click to copy

PIPES

The pipe is responsible to validate data in the JWT-token and add data about the authenticated user to the session. Please refer to the valve documentation for additional reference.

{
    "id" : "OIDC-RP-Pipe",
    "valves" : [ {
      "name" : "IDTokenSignatureValidationValve",
      "config" : {
        "__token_parameter" : "{{request.user_info}}",
        "token_parameter" : "{{request.id_token}}",
        "internal_op_id_key" : "{{request.internal_op_id}}"
      }
    }, {
      "name" : "IDTokenUnwrapAndVerifyValve",
      "config" : {
        "performTimeValidation" : "false",
        "__token_parameter" : "{{request.user_info}}",
        "token_parameter" : "{{request.id_token}}"
      }
    }, {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
      }
    }, {
      "name" : "SessionPropertyAddValve",
      "config" : {
        "name" : "nnin",
        "value" : "{{item.nnin}}"
      }
    }, {
      "name" : "SessionDumpToLog",
      "config" : { }
    }, {
      "name" : "SessionPersistValve",
      "config" : { }
    } ]
  }
Click to copy