Skip to content

OIDC.SSO

Jump to bottom
Scott Cantor edited this page Feb 19, 2021 · 40 revisions

Overview

The OIDC.SSO profile configuration bean enables support for oidc authorization and token endpoints.

File(s): conf/relying-party.xml

Activation

The following example enables this profile for RPs to access it in this server's /idp/profile/oidc/authorize -endpoint. This example must be applied in the conf/relying-party.xml.

<bean id="shibboleth.DefaultRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
            ...
            <bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" />
            ...
        </list>
    </property>
</bean>

Common Configuration

  • securityConfiguration of type SecurityConfiguration defaulting to a bean shibboleth.oidc.DefaultSecurityConfiguration.

  • postAuthenticationFlows of type List<String>. Ordered list of profile interceptor flows to run after successful authentication.

  • defaultAuthenticationMethods of type List<Principal>. Ordered list of Java Principals to be used to select appropriate login flow(s) to attempt, in the event that a relying party does not signal a preference.

Common OIDC Configuration

  • tokenEndpointAuthMethods of type Collection<String>: The comma-separated list of supported token_endpoint_auth_method_s for this profile. Default: client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt. Can be configured with idp.oidc.tokenEndpointAuthMethods -property.

Eventhough the following options are not (yet) supported by OIDC.SSO the registration data is respected i.e. by limitig options for response or grant types enabled in registration also limits the available options for running successfullu OIDC.SSO.

  • authorizationCodeFlowEnabled of type Predicate<ProfileRequestContext> defaulting to true. Whether to enable authorization code flow.

  • hybridFlowEnabled of type Predicate<ProfileRequestContext> defaulting to true. Whether to enable hybrid flow.

  • implicitFlowEnabled of type Predicate<ProfileRequestContext> defaulting to true. Whether to enable implicit flow.

  • refreshTokensEnabled of type Predicate<ProfileRequestContext>: defaulting to true. Whether to enable refresh tokens support.

OIDC.SSO Configuration

  • authorizeCodeLifetime of type Duration. Defaults to PT5M which an be configured with idp.oidc.authorizeCode.defaultLifetime -property.

  • accessTokenLifetime of type Duration. Defaults to PT10M which can be configured with idp.oidc.accessToken.defaultLifetime -property.

  • iDTokenLifetime of type Duration. Defaults to PT1H which can be configured with idp.oidc.idToken.defaultLifetime -property.

  • refreshTokenLifetime of type Duration. Defaults to PT2H which can be configured with idp.oidc.refreshToken.defaultLifetime -property.

  • additionalAudiencesForIdToken of type Collection<String>: The comma-separated list of strings. Empty by default.

  • acrRequestAlwaysEssential of type Boolean defaulting to false. Whether to treat all acr claim requests as essential requests.

  • forcePKCE (since v1.1.0) of type Boolean defaulting to false. Whether to require the use of PKCE. The default can be changed with idp.oidc.forcePKCE -property.

  • allowPKCEPlain (since v1.1.0) of type Boolean defaulting to false. Whether to allow the use of plain code challenge method. The default can be changed with idp.oidc.allowPKCEPlain -property.

Case example: Force PKCE and allow unauthenticated token endpoint calls for one RP

1. Profile configuration

The following example in conf/relying-party.xml forces PKCE and allows tokenEndpointAuthMethods=none for an RP with client_id examplePKCEClient.

<bean id="shibboleth.DefaultRelyingParty" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
            ...
            <bean parent="OIDC.SSO" p:postAuthenticationFlows="attribute-release" />
            ...
        </list>
    </property>
</bean>

<util:list id="shibboleth.RelyingPartyOverrides">
    <bean parent="RelyingPartyByName" c:relyingPartyIds="examplePKCEClient" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction">
        <property name="profileConfigurations">
             <list>
                 <bean parent="OIDC.SSO" p:forcePKCE="true" p:tokenEndpointAuthMethods="none" />
             </list>
        </property>
    </bean>
    ...
</util:list id="shibboleth.RelyingPartyOverrides">

2. Client metadata

The following example metadata enables none type for the examplePKCEClient:

{
    "client_id" : "examplePKCEClient",
    ...
    "token_endpoint_auth_method":"none"
}

(Migrated)

Clone this wiki locally