{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"3"}},"macroMetadata":{"macroId":{"value":"8b78cde5-0822-4a2f-9126-97ebc52ddb83"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"9b5179a0-5ac3-4ec1-84e8-02fa8a0315f4"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The OIDC OP plugin is the successor to the original GEANT-funded add-on to Shibboleth and is now available as an offically-supported plugin for IdP V4.1 and above. It provides conformant OIDC OP functionality alongside the SAML and CAS support previously native to the IdP software.","type":"text"}]},{"type":"paragraph","content":[{"text":"Starting with V3.1, the plugin also includes support for some OAuth 2 features, acting as a more generalized Authorization Service in the OAuth framework.","type":"text"}]},{"type":"paragraph","content":[{"text":"Please review the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2776760321"}},{"text":" when installing or upgrading a new version.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"V3.0 is the first release with code packages, XML namespaces, and other configuration elements native to the Shibboleth Project and with a \"stable\" configuration that will be supported in accordance with our ","type":"text"},{"text":"versioning policy","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1123451128"}}]},{"text":". It leverages the ","type":"text"},{"text":"plugin","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/PluginInstallation"}}]},{"text":" extension model introduced in V4.1.","type":"text"}]},{"type":"paragraph","content":[{"text":"Because of significant changes to the configuration (largely to automate or simplify the overall process of adding or removing this feature), there are a number of manual steps required to move from the older (pre-3.0) releases of this code to the new, \"stable\" version. These differences were unavoidable in the interest of preventing such complications in the future.","type":"text"}]},{"type":"paragraph","content":[{"text":"Those using the earlier V1.0 or V2.0 releases of this functionality (originally documented in ","type":"text"},{"text":"GitHub","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki"}}]},{"text":") should refer to ","type":"text"},{"text":"OIDC OP Upgrading","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878984"}}]},{"text":" for guidance on moving to this new release.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Implemented specifications","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OpenID Connect","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Core: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://openid.net/specs/openid-connect-core-1_0.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Discovery: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://openid.net/specs/openid-connect-discovery-1_0.html"}},{"text":" (Provider Metadata)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Dynamic Client Registration: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://openid.net/specs/openid-connect-registration-1_0.html"}},{"text":" (Client Metadata and Registration Endpoint)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RP-Initiated Logout","type":"text"},{"text":"4.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Front-Channel Logout","type":"text"},{"text":"4.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://openid.net/specs/openid-connect-frontchannel-1_0.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Back-Channel Logout","type":"text"},{"text":"4.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://openid.net/specs/openid-connect-backchannel-1_0.html"}},{"text":" ","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OAuth2","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.rfc-editor.org/rfc/rfc6749.html"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC6750: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc6750.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC7009: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc7009.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC7636: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc7636.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC7662: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc7662.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC8707","type":"text"},{"text":"3.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc8707.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC9068","type":"text"},{"text":"3.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc9068.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC9101","type":"text"},{"text":"4.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc9101.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC9126","type":"text"},{"text":"4.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc9126.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC9207","type":"text"},{"text":"3.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc9207.html"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RFC9449","type":"text"},{"text":"4.2","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]},{"text":": ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://www.rfc-editor.org/rfc/rfc9449.html"}},{"text":" ","type":"text"}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Plugin Installation","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with","type":"text"},{"type":"hardBreak"},{"text":".\\plugin.sh -I net.shibboleth.idp.plugin.oidc.op","type":"text","marks":[{"type":"code"}]}]}]},{"type":"table","attrs":{"layout":"default","width":1207.0,"localId":"bb9e1e96-3b5b-47c3-8fe5-97b38ca47f67"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[218.0]},"content":[{"type":"paragraph","content":[{"text":"Plugin","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[270.0]},"content":[{"type":"paragraph","content":[{"text":"Plugin ID","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"Module(s)","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[204.0]},"content":[{"type":"paragraph","content":[{"text":"Depends on","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"text":"Bug Reporting","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[218.0]},"content":[{"type":"paragraph","content":[{"text":"OIDC OP Extension","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[270.0]},"content":[{"type":"paragraph","content":[{"text":"net.shibboleth.idp.plugin.oidc.op","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"idp.oidc.OP.5","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[204.0]},"content":[{"type":"paragraph","content":[{"text":"idp.oidc.config.4","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[302.0]},"content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/browse/JOIDC"}},{"text":" ","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Please review the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2776760321"}},{"text":" when installing or updating this plugin.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Dependencies","type":"text"}]},{"type":"paragraph","content":[{"text":"This plugin depends on the Shibboleth OIDC Common plugin, and you must first install ","type":"text"},{"text":"OIDCCommon","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878852"}}]},{"text":". The installer will prevent installation if this is not in place.","type":"text"}]},{"type":"paragraph","content":[{"text":"Since version 3.4.0, you must also install ","type":"text"},{"text":"OIDCConfig","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/3167158285"}}]},{"text":".","type":"text"}]}]},{"type":"expand","attrs":{"title":"Plugin Installation Example"},"content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"include","parameters":{"macroParams":{"":{"value":"PluginInstallation"}},"macroMetadata":{"macroId":{"value":"c3d7553de6ee209c2487f704f6dc142b"},"schemaVersion":{"value":"1"},"title":"Include Page"}},"localId":"6e4beff7-8fca-4b9f-a07b-2ef8f3c8fb2d"}}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enabling the Module","type":"text"}]},{"type":"paragraph","content":[{"text":"For a detailed guide on configuring modules, see the ","type":"text"},{"text":"ModuleConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/ModuleConfiguration"}}]},{"text":" topic. Once the plugin has been installed, its module should be enabled automatically for you:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Check Module Is Enabled","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"/%{idp.home}/bin$ ./module.sh -l\n\n...\nModule: idp.oidc.OP [ENABLED]","type":"text"}]},{"type":"paragraph","content":[{"text":"However, if you need to enable it you can using the ","type":"text"},{"text":"module","type":"text","marks":[{"type":"code"}]},{"text":" command:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Enable the module","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"/%{idp.home}/bin$ ./module.sh -e idp.oidc.OP","type":"text"}]},{"type":"paragraph","content":[{"text":"When enabled, a number of new configuration files will be created for further customization.","type":"text"}]},{"type":"paragraph","content":[{"text":"Systems upgraded to V4.1 are also likely to require adding the ","type":"text"},{"text":"idp.searchForProperties=true","type":"text","marks":[{"type":"strong"}]},{"text":" property to their ","type":"text"},{"text":"idp.properties","type":"text","marks":[{"type":"em"}]},{"text":" file, or else an explicit reference would have to be added to the new property file added by the module. It's best to clean up the property loading situation prior to using plugins that add their own.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Initial Setup","type":"text"}]},{"type":"paragraph","content":[{"text":"Because this plugin is considerably more extensive than most, there are more touchpoints to the rest of the IdP configuration and a larger-than-usual set of initial setup steps needed before it can be used. The IdP may not even startup properly until some of them are completed.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"First Steps","type":"text"}]},{"type":"paragraph","content":[{"text":"Add an import statement to ","type":"text"},{"text":"conf/credentials.xml","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Adjust or add the ","type":"text"},{"text":"idp.searchForProperties","type":"text","marks":[{"type":"strong"}]},{"text":" setting in idp.properties and set it to true to auto-locate and load the new properties file. This will extend to other new features in the future, so makes adding and removing new functionality simpler.","type":"text"}]},{"type":"paragraph","content":[{"text":"If you want to leverage the new default claim mapping rules, you can add an import to ","type":"text"},{"text":"conf/attributes/default-rules.xml","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"codeBlock","content":[{"text":"","type":"text"}]},{"type":"paragraph","content":[{"text":"The impact of this is to reduce the need for ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements in your ","type":"text"},{"text":"Attribute Resolver","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/AttributeResolverConfiguration"}}]},{"text":" configuration when adhering to \"default\" expectations for the names of attributes and how they map into OIDC claims. We encourage this as it makes things simpler and more consistent but it isn't mandatory.","type":"text"}]},{"type":"paragraph","content":[{"text":"The additional files created in ","type":"text"},{"text":"conf/examples","type":"text","marks":[{"type":"strong"}]},{"text":" (","type":"text"},{"text":"oidc-attribute-resolver.xml","type":"text","marks":[{"type":"em"}]},{"text":" and ","type":"text"},{"text":"oidc-attribute-filter.xml","type":"text","marks":[{"type":"em"}]},{"text":") are intended as a source of examples to copy into your own files. The most critical definitions needed are the rules for creating and releasing the \"sub\" claim, as that is a required OIDC feature (see ","type":"text"},{"text":"OIDC OP#ClaimSetup","type":"text","marks":[{"type":"link","attrs":{"href":"#OIDCOP-ClaimSetup"}}]},{"text":"). If you want to use the example files directly (unlikely), you can copy them elsewhere and make use of them as you see fit.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Key Generation","type":"text"}]},{"type":"paragraph","content":[{"text":"The OP plugin supports keys in the JWK format as well as the more typical PEM format. There are some advantages to using the JWK format in optimizing which keys are tried in certain cases. There is no particular advantage to reusing any existing keys your IdP may be using, but you can if you prefer to do so.","type":"text"}]},{"type":"paragraph","content":[{"text":"The default configuration expects to have two RSA keys (one for signing and one for decryption), and one EC key. They are expected to be in locations defined via the following properties (with the shipping defaults shown):","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"idp.signing.oidc.rs.key","type":"text","marks":[{"type":"strong"}]},{"text":" - %{idp.home}/credentials/idp-signing-rs.jwk","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"idp.signing.oidc.es.key","type":"text","marks":[{"type":"strong"}]},{"text":" -%{idp.home}/credentials/idp-signing-es.jwk","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"idp.signing.oidc.rsa.enc.key","type":"text","marks":[{"type":"strong"}]},{"text":" - %{idp.home}/credentials/idp-encryption-rsa.jwk","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Keys may be generated using the provided wrappers, in ","type":"text"},{"text":"bin/jwtgen.sh","type":"text","marks":[{"type":"em"}]},{"text":" and ","type":"text"},{"text":"bin/jwtgen.bat","type":"text","marks":[{"type":"em"}]},{"text":":","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Key Generation Example","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"$ cd /opt/shibboleth-idp\n$ bin/jwtgen.sh -t RSA -s 2048 -u sig -i defaultRSASign | tail -n +2 > credentials/idp-signing-rs.jwk\n$ bin/jwtgen.sh\t-t EC -c P-256 -u sig -i defaultECSign | tail -n +2 > credentials/idp-signing-es.jwk\n$ bin/jwtgen.sh\t-t RSA -s 2048 -u enc -i defaultRSAEnc | tail -n +2 > credentials/idp-encryption-rsa.jwk","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"OIDC Issuer and Discovery","type":"text"}]},{"type":"paragraph","content":[{"text":"The OIDC \"issuer\" value needs to be determined, and the OpenID discovery document needs to be made accessible.","type":"text"}]},{"type":"paragraph","content":[{"text":"The issuer value is set in ","type":"text"},{"text":"conf/oidc.properties","type":"text","marks":[{"type":"em"}]},{"text":" and must be a URL using the \"https\" scheme that contains host, and optionally, port number and path components and no query or fragment components. It generally must resolve to the root of the deployment in question. As a result, while it may be the same as one's SAML entityID, it often cannot be, as SAML does not conflate identity and location in this fashion.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/oidc.properties","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","content":[{"text":"idp.oidc.issuer = https://your.issuer.example.org","type":"text"}]},{"type":"paragraph","content":[{"text":"A common way for clients to configure themselves against an OP is to read the openid-configuration resource as defined in ","type":"text"},{"text":"https://openid.net/specs/openid-connect-discovery-1_0.html","type":"text","marks":[{"type":"link","attrs":{"href":"https://openid.net/specs/openid-connect-discovery-1_0.html"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"A template for this file is created in ","type":"text"},{"text":"static/openid-configuration.json. ","type":"text","marks":[{"type":"em"}]},{"text":"You will need to update it to match your configuration. At minimum this means replacing \"{{ service_name }}\" with the host portion of your issuer value.","type":"text"}]},{"type":"paragraph","content":[{"text":"In order for clients to locate the file, you will either have to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure your Java container or other web server \"front-end\" to publish it at this exact location (obviously the prefix depends on your issuer value):","type":"text"}]}]}]},{"type":"paragraph","marks":[{"type":"indentation","attrs":{"level":1}}],"content":[{"text":"https://your.issuer.example.org/.well-known/openid-configuration","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Or (more typically), configure that location to route into your IdP at ","type":"text"},{"text":"/idp/profile/oidc/configuration","type":"text","marks":[{"type":"code"}]},{"text":" to generate the document more dynamically.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"OPDiscovery","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879256"}}]},{"text":" topic describes this further.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enabling Profiles","type":"text"}]},{"type":"paragraph","content":[{"text":"Activating support for OIDC, as with other protocols supported, requires adjusting the ","type":"text"},{"text":"RelyingPartyConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration"}}]},{"text":" in ","type":"text"},{"text":"conf/relying-party.xml","type":"text","marks":[{"type":"em"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"One of the profiles (the one that advertises keys) needs to be openly accessible:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/relying-party.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\t\t\n\t\t\t\n\t\t\n\t\n","type":"text"}]},{"type":"paragraph","content":[{"text":"The rest are functional profiles that may be enabled more selectively but would normally be enabled by default:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/relying-party.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\t\t\n\t\t\t\n\t\t\t\n \n\t\t\t\n\t\t\t\n\t\t\n\t\n","type":"text"}]},{"type":"paragraph","content":[{"text":"Obviously this relies on a lot of defaulted behavior, but the full documentation includes more detailed information about how to adjust profile settings.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Claim Setup","type":"text"}]},{"type":"paragraph","content":[{"text":"Attributes in OIDC are termed claims, but the IdP treats them just as in other protocols, with the usual ","type":"text"},{"text":"resolution","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879159"}}]},{"text":" and ","type":"text"},{"text":"filtering","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879193"}}]},{"text":" approaches. You will need to reference that documentation early on in the testing process and you will also want to take some care regarding ","type":"text"},{"text":"the \"sub\" claim","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879208"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Example RP","type":"text"}]},{"type":"paragraph","content":[{"text":"For initial testing, it's helpful to start simple and add an example RP by hand. There are several different ways of managing RP registration data, but for a quick test, the simplest is to add some static JSON to the system to define a test system.","type":"text"}]},{"type":"paragraph","content":[{"text":"There are some commented options in ","type":"text"},{"text":"conf/oidc-clientinfo-resolvers.xml","type":"text","marks":[{"type":"em"}]},{"text":" that can be uncommented to supply an example JSON file to load:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"conf/oidc-clientinfo-resolvers.xml","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n\t\t\n \n\n \n \n\n \n ","type":"text"}]},{"type":"paragraph","content":[{"text":"This in turn allows you to statically define a JSON array of client registrations in a file:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"metadata/oidc-client.json","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"javascript"},"content":[{"text":"[\n {\n \"scope\":\"openid email\",\n \"redirect_uris\":[\"https://demorp.example.org/redirect_uri\"],\n \"client_id\":\"demo_rp\",\n \"client_secret\":\"topsecret\",\n \"response_types\":[\"code\"],\n \"grant_types\":[\"authorization_code\"]\n }\n]","type":"text"}]},{"type":"paragraph","content":[{"text":"You will of course need to adjust the JSON to match the client you are testing, for which the ","type":"text"},{"text":"documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879133/OPMetadataClientRegistration#JSON-Format"}}]},{"text":" should help.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Full Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Please refer to the topics below for more detailed information on different aspects of the extension.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Client Registration (","type":"text"},{"text":"Metadata","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879133"}}]},{"text":" and ","type":"text"},{"text":"Dynamic","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879077"}}]},{"text":")","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Client Resolution","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879144"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"User Authentication","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879155"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Client Authentication","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2930409507"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Attribute/Claims Resolution","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879159"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The \"sub\" Claim","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879208"}}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Attribute Filtering","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879193"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Security Configuration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879249"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Profile Configuration","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879261"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OP Discovery","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879256"}}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Use Cases","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Client Credentials Grant","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2930606124"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Authorization Code Affinity","type":"text","marks":[{"type":"link","attrs":{"href":"https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2936078374"}}]}]}]}]}],"version":1}

Browser not supported