Skip to main content

External oAuth / OpenID Identity Providers

Introduction

An Identity Broker is often part of a a Single Sign-On Architecture as an an intermediary service that connects multiple Service Providers with different Identity Provider (IDP)s.​ 

Soffid IdPfederation can actbe ascomposed anby identitya broker.mix Thisof meansSAML thatand oAuth / OpenID-connect servers. In such a scenario, Soffid IdP canis rely on third party identity providersable to identifylet users.users be identified by oAuth servers like Linked-in, Google or Facebook, perform all the provision tasks required and send back a SAML assertion to the service provider requiring user authentication.

image-1636445769625.png

To act ascreate an external oAuth identity broker,provider, you can choose the ExternalIdp SAMLtype identityfrom providera optionlist mustof bepopular enabledsites, onlike theGoogle Authenticationor page.Facebook, Youor canwrite visityou theown Authentication page for more info.descriptor.

Data flow

The followingdescriptor diagram,should showsfollow the resultingOpenID dataconnect flowdiscovery betweenJSON document. Most parameters are optional, but these are required:

  • authorization_endpoint: contains the endoAuth user, your application, the identity provider and Soffid web services:

     

    Data flow steps

    1. Web browser requests a protected web application resource.

    2. Web application builds a SAML authentication request and forwards itendpoint to Soffid IdP.

    3. Soffid IdP receives SAML authentication request and validates it. A user name and password page is presented. This page can optionally contain a set of links to third-party identification servers.

    Ifforward the user clicksto onget the third party identification server link, or the typed in user name is expected to be authenticated by a third-party IdP. Soffid IdP acts as a Service Provider and an authentication request is forwarded to that IdP. The authentication request format depends on the protocol required by the third-party IdP.

    4. Third-party IdP receives the authentication request and presents the user its user name and password page.

    5. User fills in the user name and password form.

    6. Third-party IdP builds an authentication response that is forwarded to Soffid IdP. This response can contain a SAML Assertion or a oAuth authorization token.

    • 7.

  • token_endpoint: Soffid IdP parses and validatescontains the receivedoAuth response:

    endpoint

    7.1.to For SAML responses,get the assertionaccess istoken, validatedbased and identity attributes are extracted.

    7.1. For oAuth responses,on the authorization token got at previous step.

  • userinfo_endpoint: if remote IdP is usedOpenID-connect tocompliant, getthe token endpoint should have sent an access token along a sessionJWT token. Next, sessionOpenID token containing user claims. If this is usednot the case, Soffid will use this user_info endpoint to fetch user attributesclaims. fromThis externalmechanism IdP.

    is needed for oAuth2 servers.
  • scopes_sopported: The list of scopes specified here will be used at first step, when redirecting the user to the authorization endpoint.

7.1.Next, Foryou OpenID-Connectmust responses,register Soffid IdP with your oAuth server. After registering, you will get a oAuthKey (some kind of username) and an oAuthSecret (some kind of password). To register Soffid IdP, your oAuth server will require you to specify the redirection endpoint. This redirection endpoint refers to your Soffid IdP and will receive the authorization token generated by the oAuth server.

If your Soffid IdP is usedlistening to https://idp.yourdomain.com:2443/, your redirection endpoint will be https://idp.yourdomain.com:2443/oauthResponse

As an example, here you have some links to get ayour sessionoAuth token along the OpenID token received. The OpenID token is parsed as a JWT token,keys and eachsecrets claimed attribute is parsed.

8. Soffid IdP finds the identity owner of the external identity. If no identity is found, depending on Soffid IdP configuration, it can automatically create a Soffid Identity based on received attributes.

9. Finally, Soffid IdP issues a SAML assertion containing Soffid identity attributes.for GoogleFacebook and Linkedin.

 

https://ldapwiki.com/wiki/Identity%20Broker

Back to top