External oAuth / OpenID Identity Providers

Introduction

Soffid federation can be composed by a mix of SAML and oAuth / OpenID-connect servers. In such a scenario, Soffid IdP is able to let users be identified by oAuth servers like Linked-in, Google or Facebook, perform all the provision tasks required and send back a SAML assertion to the service provider requiring user authentication.

To create an external oAuth identity provider, you can choose the Idp type from a list of popular sites, like Google or Facebook, or write you own descriptor.

The descriptor should follow the OpenID connect discovery JSON document. Most parameters are optional, but these are required:

authorization_endpoint: contains the oAuth endpoint to forward the user to get the authorization token.
token_endpoint: contains the oAuth endpoint to get the access token, based on the authorization token got at previous step.
userinfo_endpoint: if remote IdP is OpenID-connect compliant, the token endpoint should have sent an access token along a JWT OpenID token containing user claims. If this is not the case, Soffid will use this user_info endpoint to fetch user claims. This mechanism is needed for oAuth2 servers.
scopes_sopported: The list of scopes specified here will be used at first step, when redirecting the user to the authorization endpoint.

Next, you must register Soffid IdP with your oAuth server. After registering, you will get a oAuthKey (some kind of username) and an oAuthSecret (some kind of password). To register Soffid IdP, your oAuth server will require you to specify the redirection endpoint. This redirection endpoint refers to your Soffid IdP and will receive the authorization token generated by the oAuth server.

If your Soffid IdP is listening to https://idp.yourdomain.com:2443/, your redirection endpoint will be https://idp.yourdomain.com:2443/oauthResponse

As an example, here you have some links to get your oAuth keys and secrets for Google, Facebook and Linkedin.

SAML (Security Assertion Markup Language)

SAML architecture

SAML Example

OpenID-Connect

OpenID-Connect architecture

OpenID-Connect example

CAS (Central Authentication Service)

CAS architecture

CAS Example

Radius (Remote Authentication Dial-In User Service)

Radius architecture

Radius Example

TACACS+ (The Terminal Access Controller Access-Control System Plus)

TACACS+ architecture

TACACS+ Example

WS-Fed

WS-Fed Architecture

WS-Fed Example

⏰ Getting started

Attribute definition

Attribute sharing policies

Identity & Service providers

Shared signals & events members

Entity Group

Identity Provider

Service Provider

Virtual Identity Provider

Profiles

OpenIDProfile

SAML1ArtifactResolutionProfile

SAML1AttributeQueryProfile

SAML2ArtifactResolutionProfile

SAML2AttributeQueryProfile

SAML2ECPProfile

SAML2SSOProfile

CAS

Radius

How to deploy the identity & service provider

Change Password URL

How to perform unsolicited login

Connecting an OpenID Connect service

Connecting a SAML service

Connecting Soffid console

Connecting your custom applications

Openid-connect to SAML interoperability

Openid-connect Dynamic Register

Connecting CAS client

Connecting Tacacs+

Connecting Radius client

validate-domain

validate-credentials

expire-session

generate-saml-request

parse-saml-response

generate-saml-logout-request

Soffid IdP as an identity broker

External oAuth / OpenID Identity Providers

External oAuth / OpenID Identity Providers

Introduction