OPProfileConfiguration

File(s): conf/relying-party.xml, conf/oidc.properties
Format: Native Spring, Spring Properties

Overview

As with SAML and CAS, there are many different profile flows that make up the functionality of the OIDC plugin. Each flow is independently enabled/disabled with a bean added to a relying party definition's profileConfigurations collection, though in practice most of the time they will be enabled en masse.

Some of the profiles by design only function in an "anonymous" fashion, so must be added to the shibboleth.UnverifiedRelyingParty bean:

The first two (dynamic registration and OP discovery) are defined elsewhere. The Keyset profile bean enables the publishing of the OP's credentials as keysets.It has no special settings, but does rely on various beans you can define in conf/oidc-credentials.xml to control which credentials are published, which are mentioned on the https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376879249 page.

The other profiles supported are typically added to the shibboleth.DefaultRelyingParty bean (but may in some cases also be enabled for unverified use), and may be further customized within overrides:

Older installs that do not contain the Token profile configuration bean should generally be updated to include it, as there may come a time when this is required.

Note that all of these beans are also available with ".MDDriven" suffixes in the same fashion described in https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631679 (this is specific of course to the use of SAML metadata for managing clients). This is only of use for the latter flows since unverified flows by definition can't have any RP metadata associated to supply behavior. For use with this feature, the following profile URIs are associated with these profiles in constructing tag names:

Bean

Profile URI

Bean

Profile URI

OIDC.SSO

http://shibboleth.net/ns/profiles/oidc/sso/browser

OAUTH2.Token

http://shibboleth.net/ns/profiles/oauth2/token

OAUTH2.TokenAudience

http://shibboleth.net/ns/profiles/oauth2/token/audience

OIDC.UserInfo

http://shibboleth.net/ns/profiles/oidc/userinfo

OAUTH2.Revocation

http://shibboleth.net/ns/profiles/oauth2/revocation

OAUTH2.Introspection

http://shibboleth.net/ns/profiles/oauth2/introspection

OIDC.Logout

http://shibboleth.net/ns/profiles/oidc/logout