Page Comparison

...

The following requirements exist for this flow to operate:

The Issuer Identifier of the upstream OpenID Provider must be known somehow.
The OP must make available its configuration document at the well-known location - although this behavior can be customized.

The following steps must be followed to enable the RP to communicate with an upstream OpenID Provider:

Create a client with your OpenID Provider.
1. Note your client_id and client_secret.
2. If you want to enable asymmetric (public key) Request Object signature signing and or ID Token or UserInfo token encryption, register any public digital signature and encryption keys with the OP.
Add your client_id to the property idp.authn.oidc.rp.client.clientId.
Add your client_secret to the property idp.authn.oidc.rp.client.clientSecret.
Establish the Proxy Issuer.
Configure a Redirect URL.
Configure the attributer filterto expose claims to the rest of the system.
Change the login flow to OIDCRelyingParty in authn.properties.

For finer control, see the Advanced Configuration topics. Adjust your Auditing requirements as appropriate.

...

Code Block
## Comment this property out # idp.authn.oidc.rp.provider.proxyIssuer = <something> ## Set this property to true idp.authn.oidc.rp.provider.discoveryRequired = true

JSON Web Key Set Document

Advanced Request Object signature signing operations and ID Token and UserInfo response encryption, require the RP to publish signing and encryption public keys in its Key Set Document. This is presented to the OP as the jwks_uri. To enable the profile endpoint, the following profile bean must be added to the shibboleth.UnverifiedRelyingParty bean:

OIDC.Keyset

The profile URI: /idp/profile/oidc/rp/keyset

There is a single global keyset profile. If multiple downstream OPs are used there is no way to present different keys to different OPs. This is unlikely to occur for the time being as discovery is not implemented by default. It will be revised in future versions.

Advanced Authentication Request Options

...

To construct the final set of End-User claims to translate and filter, the system performs two important operations:

Sanatizes the UserInfo and id_token claims.
Merges the sanatized UserInfo claims with those in the id_token.

The default claim sanatization strategy removes any ‘validation’ claims, and leaves ‘identity', ‘authorization’, and ‘misc’ claims. That prevents exposure of validation claims to the attribute translation and filtering stages — although are still available to various internal functions. See the table below to show which gets removed by default.

...

The default merging strategy combines claims in the UserInfo response with those from the id_token to produce a new claims set using the following logic:

If one of UserInfo or id_token claims are null, the other is returned.
If both input claims are null, an empty claims set is returned.
Merges the id_token claims into the UserInfo claims, the value of a claim from the id_token
is favoured over that from the UserInfo response if the claim names clash.

Both strategies can be customised by supplying beans named shibboleth.authn.oidc.rp.ClaimMergingStrategy and shibboleth.authn.oidc.rp.ClaimSanitizationStrategy. See the Reference section below.

...

Expand

title	OIDC RelyingParty Specific Properties

Name	Type	Default	Description
idp.authn.oidc.rp.provider.proxyIssuer	String		Statically-defined Issuer ID of upstream OP to use for authentication.
idp.authn.oidc.rp.client.clientId	String		OAuth 2.0 Client Identifier valid at the Authorization Server.
idp.authn.oidc.rp.client.redirecturl.allowedOrigins	String list		A list of allowed origins the RP can use when dynamically creating a redirect URI to use. Can be overriden to a fixed redirect URI using the property `idp.authn.oidc.rp.client.redirectURL`
idp.authn.oidc.rp.client.redirectURI	String		The redirect URI to supply to the Authorization Server during an Authentication Request. Is where the Authentication Response is sent. Will override the dynamically computed redirect computed using the `idp.authn.oidc.rp.client.redirecturl.allowedOrigins`
idp.authn.oidc.rp.client.clientSecret	String		OAuth 2.0 secret know only to the IdP and the Authorization Server. Used to authenticate the RP to the Authorization Server and to potentially secure JSON Web Tokens.
idp.authn.oidc.rp.provider.keyfetch.interval	Duration	30 minutes	The time duration for which an OpenID Provider’s key set document is cached.
idp.authn.oidc.rp.client.enc.key	Resource path		Resource containing a JWK private key for decryption, typically a file in the credentials directory. For example, for decryption id_tokens or UserInfo tokens.
idp.authn.oidc.rp.client.sig.key	Resource path		Resource containing private key for signing, typically a file in the credentials directory. For example, to sign the Request Object (if used) sent to the Authorization Server.
idp.authn.oidc.rp.provider.discoveryRequired	Boolean	false	Whether to invoke OP-discovery prior to running flow. Defualt is false as there is currently no OP discovery mechanism to use.
idp.authn.oidc.rp.client.requestobject.supported	Boolean	false	Should the authentication request to the Authorization Server be passed inside a Request Object (by value).
idp.authn.oidc.rp.client.requestobject.encrypted	Boolean	false	If supported, should the Request Object be encrypted.
idp.authn.oidc.rp.client.requestobject.signed	Boolean	true	If supported, should the Request Object be signed. Defaults to true otherwise the advantage of using a Request Object is limited to certain caching functions.
idp.authn.oidc.rp.client.userinfo.enabled	Boolean	true	Should the RP request claims from the UserInfo Endpoint.
idp.authn.oidc.rp.client.userinfo.requireJWTResponse	Boolean	false	If true, the UserInfo response must use the `application/jwt` format i.e. be returned as a JWT.
idp.authn.oidc.rp.client.responseMode	String	query	The mechanism the OP uses to response to an Authentication Request from the Authorization Endpoint. Only supports one-of; ‘query’ or ‘form_post’.
idp.authn.oidc.rp.client.scopes	String list	openid	Define which scopes to request authorization for. By default ‘openid’ is required and always supplied. A comma separated list of additional scopes can be request e.g. ` profile,email`
dp.authn.oidc.rp.supportedPrincipals	String list		Comma-delimited list of protocol-specific Principal strings associated with flow. The flow must support principals requested by the SP. By default, the usual password-centric are used. These can be overridden by this property. Remeber that by default these are not added to the authentication result (see idp.authn.oidc.rp.addDefaultPrincipal), instead taking any AMRs or ACRs mapped from the upstream OP.
idp.authn.oidc.rp.addDefaultPrincipal	Boolean	false	Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow.
idp.authn.oidc.rp.client.authenticationMethod	String	client_secret_basic	The mechanism by which the client authenticates to the Authorization Server when using the Token endpoint. Supports `client_secret_basic` and `client_secret_post`.
idp.authn.oidc.rp.client.idtoken.tlsServerValidationOnly	Boolean	false	If true and the ID Token was retrieved using TLS with server validation, JWS signature checking will be skipped

Expand

title	Properties

The general properties configuring this flow via authn/authn.properties are:

Name	Type	Default	Description
idp.authn.oidc.rp.c14n.subjectidentifier.lowercase	Boolean	false	Whether to lowercase the incoming NameID value prior to applying any transforms
idp.authn.oidc.rp.c14n.subjectidentifier.uppercase	Boolean	false	Whether to upcase the incoming NameID value prior to applying any transforms
idp.authn.oidc.rp.c14n.subjectidentifier.trim	Boolean	true	Whether to trim leading and trailing whitespace from the username
idp.authn.oidc.rp.c14n.subjectidentifier.disabled	Boolean	false	Disable the inbuilt C14N flow, and fall back to system wide C14N flows

...

Versions Compared

Old Version 112

New Version 113

Key

JSON Web Key Set Document

Advanced Authentication Request Options