The OIDC "issuer" value needs to be determined, and the OpenID discovery document needs to be made accessiible. The issuer value is set in conf/oidc.properties and must be a URL using the "https" scheme that contains host, and optionally, port number and path components and no query or fragment components. It must resolve to the deployment in question. As a result, while it may be the same as one's SAML entityID, it often cannot be, as SAML does not conflate identity and location in this fashion. Code Block |
---|
title | conf/oidc.properties |
---|
| idp.oidc.issuer = https://your.issuer.example.org |
A common way for RPs to configure themselves against an OP is to read the openid-configuration resource as defined in https://openid.net/specs/openid-connect-discovery-1_0.html. A template for this file is created in static/openid-configuration You will need to update it to match your configuration. At minimum this means replacing "{{ service_name }}" with the host portion of your issuer value. For the RP to locate the file you will either have to: - Configure your Java container or other web server "front-end" to publish it at this exact location (obviously the prefix depends on your issuer value):
https://your.issuer.example.org/.well-known/openid-configuration - Or (more typically), configure that location to route into your IdP at "/idp/profile/oidc/discovery" to generate the document more dynamically.
The OPDiscovery topic describes this further. |