OPProfileConfiguration

File(s): conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Spring Properties

Overview

As with SAML and CAS, there are many different profile flows that make up the functionality of the OIDC plugin. Each flow is independently enabled/disabled with a bean added to a relying party definition's profileConfigurations collection, though in practice most of the time they will be enabled en masse.

Some of the profiles by design only function in an "anonymous" fashion, so must be added to the shibboleth.UnverifiedRelyingParty bean:

• OIDC.Registration

• OIDC.Configuration

• OIDC.Keyset

The first two (dynamic registration and OP discovery) are defined elsewhere. The Keyset profile bean enables the publishing of the OP's credentials as keysets.It has no special settings, but does rely on various beans you can define in conf/oidc-credentials.xml to control which credentials are published, which are mentioned on the OPSecurity page.

The other profiles supported are typically added to the shibboleth.DefaultRelyingParty bean (but may in some cases also be enabled for unverified use), and may be further customized within overrides:

• OIDC.SSO

• OAUTH2.Token ^3.1

• OAUTH2.TokenAudience ^3.1

• OIDC.UserInfo

• OAUTH2.Introspection

• OAUTH2.Revocation

• OIDC.Logout ^4.1

Older installs that do not contain the Token profile configuration bean should generally be updated to include it, as there may come a time when this is required.

Note that all of these beans are also available with ".MDDriven" suffixes in the same fashion described in MetadataDrivenConfiguration (this is specific of course to the use of SAML metadata for managing clients). This is only of use for the latter flows since unverified flows by definition can't have any RP metadata associated to supply behavior. For use with this feature, the following profile URIs are associated with these profiles in constructing tag names: